Narmi Functions

Narmi Functions provides a powerful toolset for your financial institution to extend Narmi’s open platform without building or managing infrastructure. With Narmi Functions, you can create serverless functions from pre-configured templates or from custom code packages. This enables you to seamlessly integrate with Narmi’s API, leverage webhooks for event-driven integrations, schedule back office automation, and much more.

In this article:

• What Is a Narmi Function?
• Maintain and Monitor Functions
• Security
• Technical Limitations
• Built-in Templates
• Create a New Function and NAF App

What Is a Narmi Function?

A function is a single-purpose block of code that can be used over and over again. A Narmi Function is a serverless function, which allows you to execute a custom task on-demand in the cloud. This serverless function is triggered by a specific condition and deployed to a managed environment.

A serverless architecture eliminates the responsibility of managing the network, hardware, and operating system infrastructure typically involved with integration, so you can deploy and use features quickly, and only pay for the computing resources you use.

Narmi Function Types

There are three types of Narmi Functions:

• Webhook based – An event in Narmi can trigger a custom workflow via a webhook.  For example, you can create a Narmi Function to receive a Slack message whenever a wire transfer needs review.
• Schedule based – A custom workflow can be triggered according to a custom recurring schedule.  For example, you can create a custom weekly email to executives with statistics about opened accounts.
• Narmi Application Framework (NAF) based – Combining a Narmi Function with the Narmi Application Framework (NAF) and Narmi’s API allows you to integrate a custom feature within the Online Banking experience. For example, you can embed a third-party application that your customers or members access from a menu option, which opens within the Narmi Platform in WebView. iFrame support is coming soon.

Narmi Function Process

The process of a Narmi Function involves the following steps:

1. Create a Narmi Function with our pre-written code, write a new function directly in the Narmi Function service or upload a custom code zip file.
2. Select a function type and enter environment variables. Configure necessary authentication.
3. The function is deployed to the cloud.
4. The function is triggered by an event, executed on a recurring schedule, or triggered by the user browsing to the app in Digital Banking.

Please contact your Narmi General Manager to discuss extending your banking platform with Narmi Functions.

Maintain and Monitor Functions

You can see relevant information about your function, as well as update and monitor functions from the Function details page. To access this page, select your function from the Narmi Functions list. The following actions are available:

• Deactivate function – Deactivates and immediately applies a rate limit of zero to the function. All requests to the function URL will result in a 429 HTTP status code.
• Activate function – Restores the function to an active state, so it can be invoked again via its invocation URL.
• Update function configuration – Allows you to edit the name, description, and environment variables for the function. Also allows you to upload a new code archive to the function. If a new package is selected, the function will be replaced by the new package and the previous version may not be recoverable.
• Download function code – Downloads the currently live version of the function package.
• Submit a test event – Allows you to invoke the function with a test JSON input, this will display the resulting function output, and up to 4KB of logs produced by the function.
• Override function concurrency – Allows you to override the number of individual requests that can be simultaneously running the Narmi function. The default function concurrency is 1. Functions in UAT environments are limited to 1 concurrent execution. Functions in production environments are limited to 25. Any requests beyond this will result in a 429 HTTP response.

You can also manually update the function using the code editor in the Code tab. This allows live updates to only the handler file. Updates to other files or dependencies must be made locally and can be uploaded via the Update function configuration action.

The Monitor tab displays your functions metrics over the desired time window, aggregating number of executions, errors, and average runtime. You can also download all function logs from a recent time range.

Runtime Deprecation Policy

Narmi Functions currently only supports a Node.js 18 runtime. Node.js 18 is expected to be supported until at least April 2025. A newer runtime would be available before the deprecation of an older runtime began. Deprecation (end of support) for a runtime occurs in three phases.

• Phase 1 – AWS no longer applies security patches or other updates to the underlying deprecated runtime. You can no longer create Narmi Functions that use the deprecated runtime, but you can continue to update existing Narmi Functions.
• Phase 2 – You can no longer create or update Narmi Functions that use the deprecated runtime. To update a function, you need to migrate it to a supported runtime. Phase 2 starts at least 30 days after the start of Phase 1.
• Phase 3 – Any remaining Narmi Functions using the deprecated runtime are disabled. Phase 3 starts at least 60 days after the start of Phase 2.

Security

The Financial Institution is responsible for the Security in a Narmi Function section. Please review it carefully.

Security of the Cloud

AWS is responsible for the security of the AWS Cloud including the services used by Narmi Functions. These AWS services include CloudFront, CloudTrail, CloudWatch, GuardDuty, KMS, Lambda, Amazon Simple Storage Service (S3), and Shield.  Attestations covering these AWS services include SOC 1, SOC 2, SOC 3, PCI, ISO 27001, and many others.

• Encryption in transit – AWS ensures that URL endpoints only support secure connections over HTTPS. As such, all ingress is encrypted with Transport Layer Security (TLS).
• Encryption at rest – AWS always encrypts files uploaded to the services used.
• AWS is protected by the AWS global network security procedures.
• AWS provides runtimes that run function code in an Amazon Linux–based execution environment. AWS is responsible for keeping software in the runtime and execution environment up to date, and deprecating runtimes when the underlying software is no longer supported.

Security in the Cloud

Narmi is responsible for ensuring that proper protections and best practices are used in our implementation of the AWS services used by Narmi Functions.

• Narmi ensures each Narmi Function execution environment has least privilege access.
• Narmi requires that each AWS Account user have MFA and limits access to the AWS Account used by Narmi Functions to appropriate personnel.
• Narmi uses AWS CloudTrail for purposes of auditing and monitoring changes to the underlying AWS services used by Narmi Functions.
• Narmi always encrypts the environment variables used by Narmi Functions at rest using AWS KMS.
• Narmi ensures no confidential or sensitive information is used in tags or free-form fields such as the AWS Lambda Function “Name” field.
• Narmi uses a 60 day retention policy for logging.
• Security of the Narmi Function service:
  • Encryption in transit – Narmi ensures that all code and secrets are uploaded over secure connections over HTTPS/TLS and transmitted securely to AWS.
  • Encryption at rest – Narmi requires that all code and secrets are stored using encryption (on AWS).
  • Permissions – Narmi ensures that granular permissions govern the CRUD of Narmi Functions.
  • Templates – Narmi must ensure that the unmodified “Templates” update any vulnerable dependencies and implement appropriate safeguards to satisfy the below “Security in a Narmi Function” requirements

Security in a Narmi Function

The Financial Institution is responsible for applying best practices and securing each Narmi Function as outlined below.

• The Financial Institution is responsible for configuring the Narmi Function. This includes whether the Narmi Function has a URL.
• The Financial Institution is responsible for ensuring the code uploaded to the Narmi Function service is free of all defects and security vulnerabilities. If any additional dependencies and/or libraries are defined in the code, the Financial Institution is responsible for updating them. When AWS Lambda deprecates a runtime, the Financial Institution is responsible for migrating functions to a supported runtime.
• The Financial Institution is responsible for ensuring all secrets are set as Environment Variables in the Narmi Function service and that these Environment Variables are never logged or returned by the Function. The Financial Institution is responsible for rotating these secrets as needed.
• Execution environments are never reused across different function versions or Financial Institutions. However, a single environment can be reused between invocations of the same function version. This means data and state can persist between invocations. Data and/or state may continue to persist for hours before it is destroyed as a part of normal execution environment lifecycle management. The Financial Institution must account for this behavior in the Narmi Function code.

Technical Limitations

There are several technical limits imposed on Narmi Functions that should be accounted for in development. Some of these limits are adjustable on a per-function basis. To request an increase, please contact support@narmi.com with the details of your function use case and reason for the requested increase.

Supported Runtimes – Currently, the only supported runtime is Node.js 18.

Code Archive Structure – The code archive must contain an index.js file. Within this file, an exported function called handler must exist. This will be the entry point of the Narmi Function.

Package Size – The maximum upload size for a package is 2.5MB.

Daily Invocation Limit – Each Narmi Function has a default limit of 10,000 daily executions. If a function surpasses this limit, it will be deactivated, and require Narmi Support to re-activate the function.

Concurrency – A Narmi Function in production has a default maximum concurrency of 25, meaning 25 individual requests can be simultaneously running the Narmi function. Any requests beyond this will result in a 429 HTTP response. Functions in UAT environments are limited to 1 concurrent execution.

Memory – Narmi Functions have 128MB of RAM in their execution environment.

Timeout – Narmi Functions have a maximum execution duration of 30 seconds per request.

Log Retention – Narmi Function logs are retained for 60 days.

Data Persistence – The Narmi Function service does not include a data persistence layer. You may use a third-party service or the Narmi API for data persistence as appropriate.

Egress – Outgoing traffic from a Narmi Function does not use a dedicated or static IP address.

Network – A Narmi Function cannot access any other Virtual Private Cloud (VPC). As a result, a Narmi Function cannot access resources that use a VPN connection (for example, some core banking systems).

Environment Variables – The total size of environment variables cannot exceed 4 KB. This cannot be increased.

Narmi Application Framework Type Functions – NAF-type functions require that the NAF Application opens in a new tab in Online Banking (GET request submitted to the application URL). iFrame (POST request) is coming soon.

Built-in Templates

Narmi Functions comes with nine pre-built templates to save development time on common integrations.

Hello World 

This is the most basic template, which outputs simple “Hello from Narmi!” text. We recommend starting with this template in order to get familiar with how Narmi Functions works. It shows the basic syntax and format of a Narmi Function javascript handler.

• Technical Details – This function will return a JSON response with two properties—a status code and message.
• Environment Variables – None
• Supported Types – This template supports all function types.

Hello World Hosted NAF

This template is a basic example of a statically hosted NAF App that connects to a backend Narmi function to fetch data. 

• Technical Details – The contents of the frontend UI are a simple html page and javascript file. The backend simply returns a greeting message.
• Additional notes: As an additional step, the dynamic backend Narmi function URL will need to be added to the url variable of the index.js file, and the frontend code will need to be re-uploaded. 
• Environment Variables – None
• Supported Types – This template supports only NAF type functions

Decrypt

This template is a helper module that decrypts environment variables for you. It demonstrates how encrypted and plaintext environment variables can be utilized.

• Technical Details – This template shows the necessary utility imports and syntax needed to decrypt encrypted environment variables. Note: The utility package does not need to be bundled with your application, and is included by default with all Narmi Functions.
• Environment Variables:
  • MY_NAME – A plaintext environment variable that is returned as part of the response message.
  • MY_SECRET – An encrypted environment variable that needs to be decrypted via an KMS API call before it can be viewed.
• Supported Types – This template supports all function types.

Slack Notification

This template can be used to create generic Slack notifications triggered by system events, such as wire transfers needing review. This function does not interact with the Narmi APIs.

• Technical Details – The function executes in two steps:
  1. The webhook request is validated via the webhook secret and ID, these are automatically included under the environment variables NARMI_WEBHOOK_SECRET and NARMI_WEBHOOK_UUID.
  2. A message is sent to the desired Slack channel using an API request to the Slack API.
• Environment Variables:
  • SLACK_TOKEN – The token of the Slack app that has access to send messages to your desired workspace. For information on setting up a basic Slack app and token, go to this Slack article on basic app setup.
  • SLACK_CHANNEL - The target channel to send the message to.
  • API_ROOT – The root domain of your Narmi API; this is typically https://api.yourdomain.com
• Supported Types – This template supports the webhook function type.

Slack and Admin API Integration

This template can be used to create Slack notifications triggered by certain user actions, such as wire transfers being created. Using this any supported user action can be alerted on in your organization’s slack channels.

• Technical Details – The function executes in four general steps:
  1. The webhook request is validated via the webhook secret and ID, these are automatically included under the environment variables NARMI_WEBHOOK_SECRET and NARMI_WEBHOOK_UUID.
  2. The encrypted environment var(s) are decrypted using the built-in utility functions bundled with the Narmi function.
  3. The signed headers are generated for the Narmi API request and the user’s information is retrieved from the Narmi API using the provided user_id.
  4. A message is sent to the desired Slack channel using an API request to the Slack API.The first two steps of this function should be universal for webhook functions to retrieve additional information on the user and related resources for the trigger event.
• Environment Variables:
  • SLACK_TOKEN – The token of the Slack app that has access to send messages to your desired workspace. For information on setting up a basic Slack app and token, go to this Slack article on basic app setup.
  • API_TOKEN – The token of an access token from your NAF App, which you register in the Admin Platform. The token and NAF App must have the scope private_api:user. Go to Manage Access Tokens for more information on tokens.
  • API_SECRET – The Client Secret of the above access token. This is used to sign request headers. The Client Secret will appear onscreen once you complete registration of the NAF App.
  • API_ROOT – The root domain of your Narmi API; this is typically https://api.yourdomain.com
• Supported Types – This template supports the webhook function type.

Narmi Function with the Admin API

An additional use case for the Slack and Admin API Integration template is creating a Narmi Function with access to the Admin API, which allows the function to get information on any user in the Admin Platform. An example of this is a webhook function that fetches additional user information from the user ID that is provided.

For this integration:

1. Use the Slack and Admin API Integration template.
2. Register a NAF App – Use private_api:user for the scope and do not make the app public/visible to users. For more information on NAF Apps and instructions on registering one, go to NAF Apps. 
3. Create a new access token with the same scope. Go to Manage Access Tokens for more information. This token with header signing in place will give the Narmi function access to query any user’s data via the Admin API.

NAF Oauth Toolkit

This template utilizes Oauth, which allows the function to make requests on an individual user's behalf.

• Technical Details – This function should be invoked by the user visiting the Function URL, added via a NAF App. Within the function, Oauth is used by decrypting the token that is submitted with the user request using the NAF App Client Secret, and then authorizing as the user via the Narmi Public API. When registering your NAF App, it should be public/visible to users and the Function URL should be entered as the Redirect URL. For more information on NAF Apps and instructions on registering one, go to NAF Apps.
• Environment Variables:
  • CLIENT_ID – The Client ID generated by your NAF App
  • CLIENT_SECRET – The Client Secret that appears onscreen after you register your NAF App
  • API_ROOT – The root domain of your Narmi API; this is typically https://api.yourdomain.com
• Supported Types – This template supports all function types.

Mailchimp Marketing

This function automatically adds users to a Mailchimp audience when they take a specified action. Use this to target users with specific marketing campaigns that are relevant to their banking usage and needs.

• Technical Details – The function executes in four general steps:
  1. The webhook request is validated via the webhook secret and ID, these are automatically included under the environment variables NARMI_WEBHOOK_SECRET and NARMI_WEBHOOK_UUID.
  2. The encrypted environment variables are decrypted using the utility functions  which are provided for each function. 
  3. The signed headers are generated for the Narmi API request and the user’s information is retrieved from the Narmi API using the provided user_id
  4. The Mailchimp API is invoked to subscribe the user to the specified mailing list.The first two steps of this function should be universal for webhook functions to retrieve additional information on the user and related resources for the trigger event.
• Environment Variables:
  • MAILCHIMP_API_KEY – The API key to access Mailchimp services. For setup instructions, see the Mailchimp Marketing API Quickstart.
  • MAILCHIMP_SERVER – The server/region which your Mailchimp instance is hosted on. This also appears at the end of your API key. For example, a key of 123456789abcdef-us6 has a server of us6.
  • API_TOKEN – The token of an access token created via the NAF Apps management portal. The token and parent application must have the scope private_api:user.
  • API_SECRET – The secret of the above access token. This is used to sign request headers.
  • API_ROOT – The root domain of your Narmi API; this is typically https://api.yourdomain.com.
• Supported Types – This template supports the webhook function type.

NAF List Accounts

This template uses a static hosted website and NAF Oauth, which allows the function to make GET requests to the /accounts endpoint in the Narmi Public API, returning a list of accounts for the user. This template utilizes the Narmi Design System style.

• Technical Details – This function should be invoked by the user visiting the hosted static web Frontend URL through a NAF App. This includes a GET request with query string parameters code and the code grant value passed from the NAF. Within the function, Oauth is used by fetching a NAF token that is submitted with the user request using the NAF App Client Secret, and then authorizing as the user via the Narmi Public API. Once the Oauth flow is complete, a GET /accounts Narmi Public API call is made, returning a list of the user’s accounts with Narmi Design System styling.
  • When registering your NAF App, it should be public/visible to users and the Frontend URL should be entered as the Redirect URL. Within the static hosted site, you should use the Backend URL to make requests with query strings. For more information on NAF Apps and instructions on registering one, go to NAF Apps. For more information on the Narmi Public API, go to Narmi Public API.
• Environment Variables:
  • CLIENT_ID – The Client ID generated by your NAF App
  • CLIENT_SECRET – The Client Secret that appears onscreen after you register your NAF App
  • API_ROOT – The root domain of your Narmi API; this is typically https://api.yourdomain.com
• Supported Types – This template supports only the NAF function type.

NAF Endpoints 

This template uses a static hosted website and NAF Oauth, which allows the function to make requests to any valid Narmi Public API endpoint, returning the request response’s raw data.

• Technical Details – This function should be invoked by the user visiting the hosted static web Frontend URL through a NAF App. This includes a GET request with query string parameters code, the code grant value passed from the NAF, and the Narmi Public API endpoint (for example, /cards). Within the function, Oauth is used by fetching a NAF token that is submitted with the user request using the NAF App Client Secret, and then authorizing as the user via the Narmi Public API. Once the Oauth flow is complete, a GET request to the endpoint supplied is sent to Narmi Public API.
  • When registering your NAF App, it should be public/visible to users and the Frontend URL should be entered as the Redirect URL. Within the static hosted site, you should use the Backend URL to make requests with query strings. For more information on NAF Apps and instructions on registering one, go to NAF Apps. For more information on the Narmi Public API, go to Narmi Public API.
• Environment Variables:
  • CLIENT_ID – The Client ID generated by your NAF App
  • CLIENT_SECRET – The Client Secret that appears onscreen after you register your NAF App
  • API_ROOT – The root domain of your Narmi API; this is typically https://api.yourdomain.com
• Supported Types – This template supports only the NAF function type.

Create a New Function and NAF App

From the Admin Platform, you can create a Narmi Function using one of our pre-built templates or you can start from a custom code zip archive. If you are using a custom code archive, refer to the Technical Limitations to ensure your project meets the requirements. 

We recommend starting with one of the Hello World templates in order to get familiar with how Narmi Functions works. For these instructions, we’ll use the Hello World Hosted NAF template and create a simple NAF App to display text within Online Banking. This process involves creating a new function, registering a NAF app, updating the template code, and testing your app.

Create a New Function

To create a new function from a template:

1. From the Admin Platform, select Narmi Functions, then select Create a new function.

2. On the page that appears, select Start from a template.

3. Enter the Function name and Description. The function name is the title that will display in the Narmi Functions list and the description will display in the function details page. Enter a simple description that users will understand at a glance.

4. Below the Description are nine templates to choose from:

• Hello World – A simple function that returns “Hello from Narmi!” text
• Hello World Hosted NAF – A simple function that uses a hosted static site and displays text returned by the backend API call.
• Decrypt – A helper template that decrypts environment variables for you
• Slack Notification – Integration with the Slack API that sends a simple Slack message on a specific event
• Slack and Admin API Integration – Integration between the Slack API and Narmi’s Admin API that sends a Slack message on invocation
• NAF Oauth Toolkit – A template that uses Oauth, which allows the function to make requests on an individual user's behalf
• Mailchimp Marketing – Automatically adds users to a Mailchimp audience when they take a specified action.
• NAF List Accounts – A template that uses a static hosted website and NAF Oauth, which allows the function to make GET requests to the /accounts endpoint in the Narmi Public API, returning a list of accounts for the user. This template implements the Narmi Design System style.
• NAF Endpoints – A template that uses a static hosted website and NAF Oauth, which allows the function to make requests to any valid Narmi Public API endpoint, returning the request response’s raw data.

For full details on each available template, go to Built-in Templates.

If you would like to look through the function code to understand it more before deploying, select Download code.

For this example, select the Hello World hosted NAF template. 

5. Select the function type, which will determine how the function can be invoked, and is dependent on the use case the function is meant to fulfill.

There are three supported function types:

• Webhook – A webhook for a specific user event, or “trigger event,” is created, and the function will be invoked via that webhook each time the trigger event occurs. Depending on the type of event, the request body will include resource_id , user_id , or additional_id.
  • For a list of valid trigger events to enter, go to User History Actions. 
  • For more information on webhooks, go to our webhooks documentation.
• Schedule – The function is executed on a regular schedule and requires a CRON expression to describe individual details of the schedule. Go to CRON expressions for an explanation of CRON fields and characters.
• Narmi Application Framework – This function is invoked via its URL, either by a user visiting it through the NAF App (which adds it to the Online Banking product), or via an API request. The request here contains a token, which can be decrypted using the NAF App’s Client Secret to validate the legitimacy of each request. Select the request method your NAF Application will be using.

For this example, select the Narmi Application Framework type and GET as the request method for the NAF App.

6. If needed for your function, select the environment variables. These can be added as key value pairs and will be added to your function’s runtime environment. All environment variables are encrypted at rest. Checking the encrypted option for an environment variable also guarantees it will be encrypted in transit using a AWS KMS encryption key (all environment variables use TLS in transit regardless), but also will require an additional API call be made in your function to decrypt the variable. This option must be selected for any secrets. Additional information for variable decryption is available with the decrypt template.

No environment variables are required for this example using the Hello World hosted NAF function.

7. Select Upload to create your function. The function State displays “Creating.”

It takes approximately 30 seconds for the function to be created and all resources to be provisioned. Refresh the page to see the latest status.

Once the function is created, the State updates to “Active.”

8. Once the function is active, copy the Frontend URL, which will be used for the Redirect URL when you register a NAF App in step 2 of the next section.