Skip to main content

Security considerations

The SDK is built for handling sensitive medical data. Keep these principles in mind:
  • Mint secrets server-side. Always fetch client secrets and launch tokens from a secure backend you control. Never expose your client ID or secret to the frontend. See Authentication.
  • Secure message passing. All communication between your app and the embedded experience uses secure message passing with origin validation.
  • Patient privacy. A strict referrer policy and sandboxed iframe permissions protect patient data, and the embedded app stores encrypted data on the device rather than leaking PHI to the host.
Treat launch tokens as short-lived secrets. They expire after 5 minutes and should be requested fresh from your backend for each session.

Browser support

The SDK targets modern browsers and relies on:
  • ES2020+ language features.
  • The iframe postMessage API.
  • async/await syntax.

Licence

© 2025 TORTUS AI. All rights reserved. This library is provided under licence from TORTUS AI. Contact TORTUS for licensing and usage terms.

Need help?

Contact support

Reach the TORTUS team for credentials, access, or integration help.

Quickstart

Revisit the fastest path to a working integration.