Secure embed

This document defines the integration model for embedding the myFlowpay application inside a partner’s (“host”) environment. It outlines the end-to-end authentication and communication mechanisms required to securely launch, maintain and terminate an embedded myFlowpay session.

The goal of this specification is to ensure that partners can seamlessly invoke myFlowpay within their own applications while preserving strong security guarantees, a consistent user experience and reliable synchronization between the host and the embedded app.

To achieve this, the specification introduces a signed launch payload, canonicalization rules, message-based authentication exchange and bidirectional communication patterns for session management. Partners integrating myFlowpay must follow these requirements to ensure interoperability and to maintain the trust model between systems.

The following sections describe the authentication flow, payload structure, signature computation and the message-based communication protocol used during login, logout and token lifecycle events.

For the end-to-end user journey and simulation, see Application flow.

Quick Start

Choose your integration approach:

Using the SDK (Recommended) — Simplest approach with official packages handling authentication, canonicalization, and session management automatically
Manual Implementation — Full control, requires implementing payload canonicalization and signature generation yourself

Topics in this section

Page	Description
Implementation with SDK	Packages, installation, Core/React usage, client state flow, server-side signing, Embed Sandbox App
Manual Implementation	Manual implementation, launch URL, message protocol, payload structure, canonicalization, signature
Communication Protocol	Events, logout, external URL handling, session expiration, error handling
Infrastructure & development	Subdomain setup, customization and styling
Application flow	User journey (flow overview and diagram), simulation mode for development and testing