Skip to main content

URL

Requirements

Permissions

The following permission policies are required:
  • accelerometer
  • autoplay
  • camera
  • encrypted-media
  • gyroscope
Example

Key exchange

Credentials returned from the frame are encrypted to protect their content since they are sent over postMessage. You need to generate an X25519 keypair and pass the public key into the frame. The frame uses your public key to encrypt the payload, ensuring only you can read it with your private key.
Never persist the private key to disk or storage. Hold it in memory only for the duration of the session.
Frame credential verification lifecycle
The frame uses the @noble/curves library internally. On web and React Native, you can use this same library to generate your keypair and handle decryption. For native platforms, use a compatible utility like CryptoKit on iOS or KeyPairGenerator on Android.
The following example shows how to generate a keypair and decrypt credentials using @noble/curves. You’ll want to add your own error handling and input validation for production use.
crypto.ts
The following example shows how to generate a keypair and decrypt credentials using @noble/curves. You’ll want to add your own error handling and input validation for production use.In React Native, yuo will need a polyfill for getRandomValues (MDN) which is only available in browsers.
crypto.ts

Initialization parameters

Events

All events are dispatched using the message pattern described in the frames protocol. Below are the event payloads specific to the connect frame.

Outbound events

frame->parent These events are sent from this frame to the parent window.

handshake

The frame requests that you open a message channel.

ready

The frame finished loading and the UI is fully rendered. You can use this to coordinate UI transitions, but you don’t need it to complete the flow.

complete

The connect flow finished. If it succeeds, the payload includes encrypted client credentials.
The credentials value is an encrypted string. Once decrypted, it contains a JSON object with accessToken, clientToken, and expiresAt. See API and SDK credentials for how to use each field.

error

This event dispatches errors that occur in the flow and, if available, provides steps for recovery.

Inbound events

parent->frame These events are sent from the parent window to this frame.

ack

Acknowledge the handshake.