Embed the widget in an iframe. It sends postMessage to window.parent when the flow finishes or the user clicks Close. Use postMessage for instant UX (dismiss your modal, show confirmation). Use webhooks for backend truth on async events.
<iframe src="https://tfr-sandbox.strgia.com/widget_session_…?token=…" allow="camera; microphone"></iframe>Message shape
{
"source": "lightspark-tfr-widget",
"action": "complete",
"outcome": "complete",
"sessionId": "widget_session_01kvw9f9nvf26b4t4j87teamw9"
}window.addEventListener("message", (e) => {
if (e.data?.source !== "lightspark-tfr-widget") return;
const { action, outcome, sessionId } = e.data;
// action: "complete" | "close"
});Validate e.origin in production.
Actions
complete — fires when a terminal screen appears (user has not clicked Close yet).
| Outcome | Meaning |
|---|---|
complete | Finished successfully |
in_review | Submitted; compliance review pending |
expired | Session expired |
rejected | Rejected |
close — fires when the user clicks Close.
Standalone / mobile browser (redirect URLs)
When the widget opens in a system browser (not an iframe), postMessage has no parent to receive it. Append optional redirect URLs as query params on the widget URL:
| Query param | Used for outcomes |
|---|---|
redirectUrlSuccess | complete, declared, verified, no_declaration_needed, in_review |
redirectUrlError | rejected, expired, cancelled |
Deep links must be URL-encoded.
https://tfr-sandbox.strgia.com/widget_session_…?token=…
&redirectUrlSuccess=https://sandbox.striga.com/travel-rule/tx/id/success
&redirectUrlError=https://sandbox.striga.com/travel-rule/tx/id/failureThe widget appends these query params to your redirectUrlSuccess and redirectUrlError URLs
| Param | Value |
|---|---|
outcome | Same as postMessage (complete,verified, rejected, etc.) |
action | complete |
sessionId | Widget session id |
Example redirect target:
bitrefill://travel-rule/success?outcome=verified&action=close&sessionId=widget_session_01kvw9f9nvf26b4t4j87teamw9
Use sessionId to match the session on your backend. For async compliance results, rely on webhooks — not postMessage.

