Authentication | 6MM Docs

Recommended mode: partner-token

partner-token avoids putting short tokens in URLs and keeps apiSecret on the partner backend.

1 const widget = TradingWidget.create('#trading-widget', {
2   baseUrl: 'https://app.6mm.com',
3   auth: {
4     mode: 'partner-token',
5     tokenProvider: async ({ channelId, symbol, reason }) => {
6       const resp = await fetch('/api/trading/embed-token', {
7         method: 'POST',
8         credentials: 'include',
9         headers: { 'Content-Type': 'application/json' },
10         body: JSON.stringify({ channelId, symbol, reason }),
11       })
12 
13       if (!resp.ok) {
14         throw new Error('Failed to request embed token')
15       }
16 
17       return resp.json()
18     },
19   },
20 })

Backend flow

1. Partner frontend receives auth_request from the iframe.
2. SDK calls tokenProvider.
3. Partner frontend calls its own backend.
4. Partner backend validates the partner session.
5. Partner backend calls 6MM Agent API or Java SDK createEmbedToken.
6. SDK sends embedToken to the iframe through postMessage.
7. iframe exchanges embedToken for a 6MM access token.
8. iframe continues initialization and emits ready.

tokenProvider contract

Field	Direction	Description
channelId	SDK -> Partner backend	Unique widget session identifier. The backend should pass it to createEmbedToken.
symbol	SDK -> Partner backend	Current requested trading symbol. Use it to scope the token when needed.
reason	SDK -> Partner backend	Why the SDK is requesting a token, such as initial load or refresh.
embedToken	Partner backend -> SDK	Short-lived token created by the Agent SDK or Agent API.
expireAt	Partner backend -> SDK	Token expiration timestamp returned by 6MM.

Failure handling

Condition	Recommended handling
Partner session expired	Return 401 from the partner endpoint and ask the user to sign in again.
Token creation failed temporarily	Throw an error in tokenProvider and allow the widget to surface an auth error.
channelId mismatch	Reject the request and recreate the widget instance.
User is not allowed to trade	Return a partner-controlled error and do not create an embed token.

Compatibility mode: agent-sso

agent-sso keeps the older /agent-entry ticket flow. Prefer partner-token for new integrations.

1 const widget = TradingWidget.create('#trading-widget', {
2   baseUrl: 'https://app.6mm.com',
3   auth: {
4     mode: 'agent-sso',
5     entryUrlProvider: async ({ redirectPath }) => {
6       const resp = await fetch('/api/trading-entry', {
7         method: 'POST',
8         credentials: 'include',
9         headers: { 'Content-Type': 'application/json' },
10         body: JSON.stringify({ redirectPath }),
11       })
12       const data = await resp.json()
13       return data.webUrl
14     },
15   },
16 })