Parent Bridge
Events between the iframe and the operator page
The Phoenix Prediction iframe does not own login, registration, cashier, or deposit flows. When it needs one of those actions, it sends an event to the parent page.
All postMessage handling must validate origins on both sides.
Iframe to Parent
| Event | When it happens | Parent behavior |
|---|---|---|
phoenix:ready | Iframe has loaded and can receive parent messages | Store the iframe reference or clear loading UI |
phoenix:resize | Auto sizing is enabled and content height changes | Update iframe height |
phoenix:authRequired | Visitor clicked a player-only action | Open login/register and mint a player token |
phoenix:depositRequested | Player needs funds to complete an action | Open cashier/deposit |
phoenix:tokenExpiring | Current launch token is near expiry | Mint and send a fresh token |
phoenix:betPlaced | A bet was accepted | Optional analytics or parent UI refresh |
phoenix:error | Iframe hit an integration-facing error | Log and show support path when needed |
Parent to Iframe
| Event | Purpose |
|---|---|
phoenix:setToken | Replace visitor token with player token, or refresh an expiring token |
phoenix:navigate | Ask iframe to navigate to a Phoenix Prediction route or market |
phoenix:refresh | Ask iframe to reload its Phoenix Prediction data |
Visitor to Player Flow
1. Iframe starts with a visitor JWT.
2. Visitor clicks Buy.
3. Iframe sends phoenix:authRequired.
4. Your site completes login or registration.
5. Your backend mints a player JWT.
6. Parent sends phoenix:setToken to the iframe.
7. Iframe reconnects as the player.Example Listener
const iframe = document.querySelector<HTMLIFrameElement>('#phoenix-prediction-embed');
const phoenixOrigin = 'https://embed.prediction.phoenixverse.io';
window.addEventListener('message', async (event) => {
if (event.origin !== phoenixOrigin) return;
if (!event.data || typeof event.data.type !== 'string') return;
switch (event.data.type) {
case 'phoenix:authRequired': {
const token = await loginAndMintPhoenixPredictionToken();
iframe?.contentWindow?.postMessage(
{ type: 'phoenix:setToken', token },
phoenixOrigin,
);
break;
}
case 'phoenix:depositRequested':
openCashier();
break;
case 'phoenix:resize':
if (typeof event.data.height === 'number' && iframe) {
iframe.style.height = `${event.data.height}px`;
}
break;
}
});Security Requirements
- Check
event.originbefore trusting any message. - Send messages back to the exact Phoenix Prediction origin, not
*. - Keep allowed parent origins configured in Phoenix Prediction admin.
- Do not send private account or wallet data through bridge messages unless Phoenix explicitly documents the field.