Member Portal Embed

Embed the Flash loyalty member portal directly into your own website — with single sign-on. Logged-in visitors see their points, coupons, and tier inside an iframe, with no second login.

Your backend signs a short-lived JWT (HS256) carrying the user's email; the SDK drops an iframe that Flash verifies and bridges to a member session. Sessions use a bearer token (no cookies), so third-party cookie blocking does not break it.

How it works

1
Register an embed client
Create a client below. Flash mints a public client_id and a one-time shared secret (shown once). The secret lives only on your backend.
2
Sign a short-lived JWT on your backend
After a user logs into your site, sign a ≤5-minute HS256 JWT with the shared secret, carrying the user's email (iss = client_id).
3
Drop the SDK script on your page
Add the <script> tag with data-token set to the JWT. The SDK builds the iframe and auto-resizes it to its content.

Register your client

Signed in to your Flash team? Register an embed client to get your client_id and shared secret. The secret is displayed only once — store it in your backend immediately.

Register an embed client

Generates a public client_id and a one-time shared secret for signing embed JWTs from your backend.

Name

Allowed origins

One per line (or comma-separated). Full HTTPS origins allowed to frame the portal.

Your embed clients

1. Drop the SDK on your page

Optional attributes: data-base-url (default https://flash.socialhub.ai), data-min-height (default 600).

<div id="flash-loyalty"></div>
<script src="https://flash.socialhub.ai/sdk/flash-portal.js"
        data-token="<JWT signed by your backend>"
        data-target="#flash-loyalty"></script>

2. Sign the JWT on your backend

The JWT must be signed on your backend — the shared secret must never reach the browser. Tokens are short-lived and single-use.

Node.js

import jwt from "jsonwebtoken";

const token = jwt.sign(
  {
    email: user.email,
    name: user.name,
    marketing_consent: user.optedInMarketing === true,
  },
  process.env.FLASH_EMBED_SECRET,           // your shared_secret
  { algorithm: "HS256", issuer: "<client_id>", expiresIn: "5m" }
);
// Render `token` into the script tag's data-token, or hand it
// to the browser via your own endpoint.

PHP (firebase/php-jwt)

use Firebase\JWT\JWT;

$token = JWT::encode([
  "iss" => "<client_id>",
  "email" => $user->email,
  "name" => $user->name,
  "marketing_consent" => false,
  "iat" => time(),
  "exp" => time() + 300,
], $sharedSecret, "HS256");

Where do client_id and the secret come from?

From the registration form above — Flash generates both. The shared secret signs your embed JWTs and is separate from your REST API keys and from Flash's own session secret. Each client has its own secret, so a leak is isolated to one site.