Guides

For Third-Party App Developers

Overview

The myzPax Platform presents third-party applications through a tile-based interface using embedded iframe elements. Due to modern browser privacy and security restrictions—particularly in Safari—third-party cookies are blocked by default within iframes. This behavior may prevent applications from accessing cookies or maintaining session state.

To ensure consistent behavior and a secure user experience across all browsers, including Safari, myzPax supports two integration options:

  • Option 1: Deploy your app with a myzPax Subdomain.
  • Option 2: Use client-side, cookie-free storage mechanisms.

Integration Options

Option 1: Deploy Your App with a myzPax Subdomain (Recommended)

This approach involves deploying your application under a subdomain of the myzPax domain (e.g., yourapp.myzPax.com). When hosted under this subdomain, the browser treats your application as first-party content, bypassing third-party cookie restrictions.

Key Benefits

  • Full browser support for cookies and storage
  • Seamless session and authentication handling
  • Maintains control of your infrastructure and deployment
  • Future-proof against evolving browser storage restrictions

Requirements

  • Wildcard SSL Certificate
    You must obtain and install a wildcard SSL certificate (e.g., *.yourapp.myzPax.com) for your assigned subdomain.

  • DNS Validation
    myzPax will assist with DNS validation by publishing required TXT records for certificate issuance.

  • Infrastructure & Deployment
    You retain ownership of your app’s hosting and deployment processes.

  • Subdomain Configuration
    myzPax will configure a CNAME or A record to map the assigned subdomain (e.g., client1.myzPax.com) to your application endpoint (e.g., hosted.thirdparty.com or a static IP).

Considerations

  • You are responsible for renewing and managing your SSL certificate.
  • Coordination with the myzPax team is required for initial subdomain setup and DNS validation.

Option 2: Use Cookie-Free Storage Mechanisms

If subdomain hosting is not preferred, your application must avoid using cookies for session or state management. Instead, leverage browser-supported client-side storage that is compatible with embedded iframe environments.

Recommended Storage Alternatives

  • localStorage
  • sessionStorage
  • IndexedDB
  • Web Tokens (e.g., JWT) passed via URL or postMessage API
  • OAuth or OIDC with token forwarding

These mechanisms are not blocked by modern browsers—even in iframe contexts—and are suitable for embedded applications.

Key Benefits

  • No need to acquire or manage an SSL certificate
  • Full control over your own domain and hosting
  • Simplified onboarding and integration process

Considerations

  • Tokens and session data must be managed entirely on the client side.
  • Cross-domain data sharing is limited unless implemented via explicit forwarding.
  • Future browser updates may impose restrictions on these storage methods similar to those currently applied to cookies.

Getting Started

To begin integration with myzPax:

  1. Select Your preferred integration option:

    • Option 1: Subdomain hosting (recommended)
    • Option 2: Cookie-free storage

  2. Notify the myzPax Team of your selection.

  3. myzPax will provide with:

    • Subdomain setup and certificate validation (for Option 1)
    • Token structure and client communication patterns (for Option 2)

Support

If you have any questions or need technical assistance during the integration process, please contact your myzPax integration representative.

Thank you for partnering with myzPax to deliver a secure and seamless experience for your users.