Prerequisites
- Node.js 18+ for your bundler / package manager
- A modern evergreen browser (ES2020+) for development and testing
- React 19 (if using
@gbg/go-bridge-web-react), or any framework withBridgeHostdirectly - A journey URL minted server-side via
@gbg/go-coreβ see Journey URL - A backend endpoint that returns the journey URL to your frontend (never expose
@gbg/go-corecredentials in the browser)
Step 1: Install the SDK
Install one or both packages depending on your framework:These packages are not yet on public npm β publish lands with GGO-13991. The SDK source lives in the reference build under
packages/ until the public package is available. See Getting Started β Installation.Step 2: Obtain a journey URL
Your backend uses@gbg/go-core server-side to mint a tokenized journey URL. The frontend fetches this URL via your own API and passes it to the iframe.
Never run
@gbg/go-core in the browser β its OAuth flow uses a client secret that must not ship in browser code. See Journey URL for the full backend pattern and Security for the rationale.Step 3: Configure page-level requirements
These are properties of your host page, not the SDK. Set them once for each environment you ship to.Content Security Policy
Add the journey origin to your CSPframe-src directive:
frame-src *.
iframe allow attribute
Set the minimum browser permissions the journey needs:
camera. Add microphone only if a step requires it. Do not blanket-grant all permissions.
HTTPS
In production, both the host page and the journey URL must be HTTPS. Browsers block mixed content (HTTPS page + HTTP iframe) and the integration will fail silently.Step 4: Set up the bridge host
Two code paths depending on your framework β the React adapter for React 19 apps, and the core class directly for everything else. Both use the same underlyingBridgeHost, so the semantics are identical.
React
Track the iframe in
useState, not useRef. Refs are not reactive, so the providerβs effect would never see the iframe attach. See Common Pitfalls.Framework-agnostic
Step 5: Declare capabilities and register handlers
The two-step pattern is essential β declaring a capability does not register a handler, and registering a handler does not declare the capability. Both are required for the journey to invoke the host.registerCustomCapability.
Step 6: Report permission state
Surface browser permission state to the journey so it can prompt the user before requesting capture:CapabilityInfo.permissionState:
Step 7: Subscribe to journey lifecycle events
Wire up listeners for terminal journey events so you can route the user appropriately:Step 8: Build and run
- Start your dev server (
npm run devor equivalent). - Navigate to the page that renders
JourneyView. - The journey loads inside the iframe.
- The journey sends
capability.query; the SDK responds automatically with the capabilities you declared. - When the journey reaches a capture step, your handler runs.
- On terminal events (
journey.completed,journey.failed, etc.), your event listeners route the user.
Verify it works
- The journey loads and renders without CSP errors or blocked frames.
capability.queryresponse includes the capabilities you declared (visible indelegate.onMessageSent).- Capture requests trigger your handler; the response data flows back to the journey.
- Terminal events route correctly.
- No
console.warnfromHostIframeChannelindicating dropped outbound messages.
Common issues
See Troubleshooting for the comprehensive diagnostic guide.
Complete minimal example
Putting it all together β a minimal React component that loads a journey, declares document capture, registers a handler, and routes the completion event:Whatβs next
- Add selfie capture β same pattern as document capture, with action
"camera.selfie.capture". - Add custom capabilities β see Capability Handling.
- Wire up analytics forwarding via
analytics.forward. - Review Security before shipping to production.