Origin filtering (host side). Drop every MessageEvent whose event.origin !== WEB3KIT_ORIGIN. The iframe currently sends with targetOrigin: '*'; the host is the only side that can enforce origin safety today.
Origin filtering (host → iframe). When posting to the iframe via iframeRef.current.contentWindow.postMessage(...), pass WEB3KIT_ORIGIN as the second argument in production builds. '*' is acceptable only for local development against a non-deployed iframe.
connectionId discipline. Always echo the latest connectionId from WEB3_KIT_INIT. Never reuse a stored connectionId after the iframe has been unmounted — a new mount generates a new one.
authToken lifecycle. The OAuth authToken is single-use. The backend rejects reuse. Treat it as a sensitive value — never persist it in client storage and never share it outside the iframe URL.
nonce TTL. The backend rotates nonce quickly (≈5 min). If the user takes longer than that between SIGNATURE_MSG and AUTH_BY_WALLET, restart the cycle from WEB3_KIT_GET_SIGNATURE_MSG.
Iframe sandbox attribute. If you add sandbox, include at least allow-scripts allow-same-origin — otherwise the iframe cannot call the auth API.
Multiple iframes. Each mounted iframe has its own connectionId. If you embed several Web3Kit instances simultaneously, route inbound messages by connectionId to the right host-side handler.
Token handling.WEB3_KIT_AUTH_DATA carries plaintext JWTs in a postMessage envelope. Store them on the host side using whatever secure mechanism you already use for sessions (httpOnly cookies via a server round-trip, secure storage, etc.). Never re-broadcast them via postMessage to other windows.
Network coverage. Only network: 'eth' is fully validated end-to-end through the iframe. The contract types include sol and ton, and the /web3/signature endpoint accepts them, but authenticate and createAndAuthenticate paths have not been exercised via this iframe yet.
AUTH_FAILED.reason granularity. The mapping distinguishes only banned, deleted, and unknown. Other 400 conditions that the standard WalletsPage flow handles via routing to verification screens (email/phone) are currently collapsed into unknown because the iframe has no host-controlled navigation.
targetOrigin: '*' on iframe side. Temporary, pending the agreement on an allowlist of accepted host origins.
Logging. Both sides log only when the auth-central app is built with appConfig.demo.available = true. In production builds the loggers are no-ops; rely on browser DevTools network/console for diagnostics or stand up a dedicated demo build.
Single contract source. The enums are exported from the iframe page's source file. A consumer in another repo must keep its own mirror in sync. A future refactor will extract the contract into a publishable package.