Launch URL and Iframe Bootstrap

Meshes uses a dedicated launch step for the initial iframe document request.

Two-token model

Each session mint returns two related credentials:

1. launch_url
   • short-lived
   • used only to start the iframe
2. access_token
   • sent later with meshes:auth
   • used after the iframe is ready

What the launch URL does

The launch_url:

• starts the iframe on the requested embed page
• carries the short-lived bootstrap token
• should be used only for the first iframe request

What it does not do

The launch_url is not your runtime session credential.

Do not use it as a substitute for meshes:auth.

Reload behavior

Supported behavior:

• first iframe load from a fresh launch_url
• normal client-side navigation after bootstrap
• session refresh with a new access_token over meshes:auth

If the iframe is hard reloaded later, mint a fresh session or a fresh launch URL before mounting it again.

Why not pass the session token in the iframe URL?

Because query strings are the wrong place for a runtime bearer token. URLs can leak into:

• browser history
• logs
• analytics
• error traces
• referrers

Related docs

• Quickstart
• Iframe Message Contract
• Security Model