Iframe Message Contract

Reference the postMessage contract used between the host app and the Meshes embed iframe.

Meshes embed uses window.postMessage to exchange runtime state between the host app and the iframe.

Parent -> iframe

`meshes:auth`

Send the current session token into the iframe.

{
  "type": "meshes:auth",
  "token": "eyJhbGciOiJIUzI1NiIs..."
}

Use this:

after meshes:ready
after session refresh
after receiving meshes:token-refresh

Iframe -> parent

`meshes:ready`

Sent when the iframe is ready to receive the session token.

`meshes:token-refresh`

Sent when the iframe needs a new session token.

Your host should respond by refreshing the session on your backend and sending a new meshes:auth message.

`meshes:token-expired`

Sent when the iframe no longer has a usable session token.

`meshes:navigate`

Sent when the iframe navigates between supported embed pages.

`meshes:resize`

Sent when the iframe content height changes.

{
  "type": "meshes:resize",
  "height": 842
}

Recommended host behavior

respond to meshes:ready by sending meshes:auth
respond to meshes:token-refresh by refreshing the session and sending a new token
respond to meshes:resize by applying the height to the iframe
log meshes:token-expired so your app can show a fallback state if needed

Always:

derive the embed origin from launch_url
ignore messages from any other origin
send meshes:auth back to that same origin rather than using *

Iframe Message Contract

Reference the postMessage contract used between the host app and the Meshes embed iframe.

Meshes embed uses window.postMessage to exchange runtime state between the host app and the iframe.

Parent -> iframe

`meshes:auth`

Send the current session token into the iframe.

{
  "type": "meshes:auth",
  "token": "eyJhbGciOiJIUzI1NiIs..."
}

Use this:

after meshes:ready
after session refresh
after receiving meshes:token-refresh

Iframe -> parent

`meshes:ready`

Sent when the iframe is ready to receive the session token.

`meshes:token-refresh`

Sent when the iframe needs a new session token.

Your host should respond by refreshing the session on your backend and sending a new meshes:auth message.

`meshes:token-expired`

Sent when the iframe no longer has a usable session token.

`meshes:navigate`

Sent when the iframe navigates between supported embed pages.

`meshes:resize`

Sent when the iframe content height changes.

{
  "type": "meshes:resize",
  "height": 842
}

Recommended host behavior

respond to meshes:ready by sending meshes:auth
respond to meshes:token-refresh by refreshing the session and sending a new token
respond to meshes:resize by applying the height to the iframe
log meshes:token-expired so your app can show a fallback state if needed

Always:

derive the embed origin from launch_url
ignore messages from any other origin
send meshes:auth back to that same origin rather than using *

Iframe Message Contract

Reference the postMessage contract used between the host app and the Meshes embed iframe.

Parent -> iframe

meshes:auth

Iframe -> parent

meshes:ready

meshes:token-refresh

meshes:token-expired

meshes:navigate

meshes:resize

Recommended host behavior

Related docs

Iframe Message Contract

Reference the postMessage contract used between the host app and the Meshes embed iframe.

Parent -> iframe

meshes:auth

Iframe -> parent

meshes:ready

meshes:token-refresh

meshes:token-expired

meshes:navigate

meshes:resize

Recommended host behavior

Related docs

`meshes:auth`

`meshes:ready`

`meshes:token-refresh`

`meshes:token-expired`

`meshes:navigate`

`meshes:resize`

`meshes:auth`

`meshes:ready`

`meshes:token-refresh`

`meshes:token-expired`

`meshes:navigate`

`meshes:resize`