Currents ships drop-in iframe forms for the user-facing responsible-gambling actions that every Kahnawake-licensed operator needs. Embed in your site with a single line of HTML — Anunnaki hosts the form, validates the input, persists the record, fires webhooks, and keeps every operator’s UI consistent under our compliance umbrella.
Iframes use a different auth model from the operator API. They authenticate with a public iframe key (cur_pk_test_* / cur_pk_live_*) passed in the URL — distinct from your server-side cur_sk_* Bearer key. Iframe keys are write-scoped to a single tenant and a single resource type (e.g. exclusions, deposit limits). They are safe to expose to end-users.
What’s available
| Embed | Path | Purpose |
|---|
| Self-exclusion | /iframe/ | User sets a break (24h → permanent) |
| Deposit limits | /iframe/deposit-limits/ | User sets daily / weekly / monthly caps |
How it works
- You drop an
<iframe> tag into your page, pointing at our hosted form with your operator’s public iframe key.
- End-user fills in the form (email or phone + the responsible-gambling action).
- Anunnaki validates, persists in the master compliance database, propagates via webhook to all operators (including yours), and shows the user a success state.
- Your page receives a
postMessage event so you can close the modal, show your own confirmation, or refresh state.
+----------------+ +-------------------------+ +-------------------+
| Your website | ---> | sandbox.api.anunnakielite| ---> | Currents API + |
| (iframe tag) | | .com/iframe/... | | webhooks fan-out |
+----------------+ +-------------------------+ +-------------------+
^ |
| postMessage(submitted) |
+------------------------------------------------------------+
Auth at a glance
| Surface | Key prefix | Sent via | Token scope |
|---|
| Operator API (server-to-server) | cur_sk_* | Authorization: Bearer … | Full operator API |
| Iframe (browser-facing) | cur_pk_* | key query-string param | Single tenant, write-only for the named resource |
cur_sk_* is critical. A leaked cur_pk_* is recoverable — revoke and reissue.
Getting an iframe key
Email noreply@ventrasystems.com (subject: “Iframe key request”). Tell us which embeds you want enabled. We issue one sandbox key and one production key per tenant.
Theming (Phase B — coming)
The iframes already render in light/dark mode based on the visitor’s OS preference. URL-parameter theming (?primary=&logo=&dark=1) is planned for the next phase so the embed matches your brand exactly. Until then, the forms use the Anunnaki Currents palette.
postMessage events
All embeds post the same shape to the parent window so you can build a single listener:
window.addEventListener('message', (e) => {
const m = e.data;
if (!m || typeof m !== 'object') return;
if (!String(m.source || '').startsWith('currents-')) return;
switch (m.type) {
case 'ready':
// The iframe loaded. e.g. show a loading state.
break;
case 'submitted':
// Form was submitted successfully. m.data contains the resource id.
// Close the modal, show your own confirmation, refresh user state, etc.
break;
case 'error':
// Submission failed. m.data.status + m.data.error has the detail.
break;
}
});
source field is currents-self-exclusion or currents-deposit-limit so you can route per embed if you need to.
CSP & X-Frame-Options
Our forms set Content-Security-Policy: frame-ancestors *; so they can be embedded from any operator domain. If you operate under a strict CSP, allowlist sandbox.api.anunnakielite.com (sandbox) and api.anunnakielite.com (production — soon forms.anunnakielite.com). 
