Skip to main content
The embedded dialer uses a secure handoff from the parent HighLevel frame so users do not need to complete a second manual login inside the widget.

How the sign-in flow works

  1. the widget loads inside the HighLevel iframe
  2. the embedded app confirms it is running in a valid embedded context
  3. the widget asks the parent frame for sign-in data
  4. HighLevel returns the secure SSO payload
  5. the widget exchanges that payload with the embedded auth backend
  6. the app stores the resulting session and starts the embedded experience

Why the embedded check matters

The widget is intentionally embedded-only. If it is opened directly in a normal browser tab, the app shows the not-embedded warning and redirects back to the main application flow instead of exposing an unsupported standalone login path.

Session behavior

The embedded session is designed to feel seamless:
  • users open the widget from inside HighLevel
  • the widget reuses HighLevel context instead of asking for a second full login
  • the embedded session is refreshed in the background while the widget stays open

Security boundaries

The embedded dialer only trusts supported HighLevel origins. That keeps the postMessage and SSO handoff limited to the expected parent frame.