Iframe Agent creation is currently restricted by a whitelist access policy. Please contact the team staff to request access.
π Introduction
-
iframe is a standard protocol for embedding one website into another.
-
Iframes are particularly useful for enabling third-party agents with existing web applications to seamlessly onboard onto the MuleRun platform.
-
MuleRun supports Iframe Agents as one of its primary agent integration methods, allowing external developers to host and manage their agent logic independently while being securely embedded within MuleRun.
ποΈ System Architecture
Component Summary
| Component | Description |
|---|
| Agent Configuration Params | The param details when you create an Iframe agent from Creator Studio iframe agent template |
| Iframe URL Protocol | The URL(s) that MuleRun opens when a user starts or resumes a session. Parameters are passed via query string for authentication and context. Separate URLs can be configured for starting and sharing sessions. |
| Metering API | A MuleRun platform API that allows agent creators to report usage costs for a given session. Enables fine-grained billing based on resource consumption. |
| Metering Get Reports API | A MuleRun platform API that allows agent creators to get the usage costs for a given session and its current session status. |
π Agent Configuration Params
| Configuration Param | Usage | Default |
|---|
| Start Session Url | The Iframe url that starts a new session on creatorβs website | |
| Share Session Url | The Iframe url that starts a new shared session(playback) on creatorβs website | |
| Agent Key | The key used for generating signature AND calling metering api, this key should not be expose to any 3rd party | |
| Max Age | The maximum age of the session, in minutes | 2880 |
| Start Session Refresh Interval | The time interval between every two re-generations of start session full url(in minutes). when set to 0, it means the start session url will be created only once. | 0 |
π Iframe URL Protocol
Behavior Overview
-
When a new session starts, MuleRun redirects the user to the Start Session URL, including all required parameters.
-
On page refresh or re-entry into the session, the Start Session URL is loaded again with updated parameters.
-
When a session ends (either terminated or time out), a Share Session URL may be triggered. The user may choose to view or share the session playback.
-
When a visitor accesses the shared playback of a session, the Share Session URL is opened.
URL Schema Design
https://{start-session-url}?
userId={user_id}&
sessionId={session_id}&
agentId={agent_id}&
time={unix_timestamp}&
signature={hmac_signature}&
origin={platform_origin}&
nonce={nonce}
Note: All parameters are URL-encoded during transmission. During signature verification, they must be URL-decoded, parsed into a dictionary, sorted, and serialized as JSON before HMAC calculation.
Routing Example
Your agentβs endpoint: https://third-party-url.com/session/
Parameter Definitions
| Parameter | Type | Example |
|---|
userId | string (64 chars) | 3e5215afce4ef92284c336110cc6dd3d0107971687396cbb3dbbbc625bc3807d |
sessionId | string (36 chars, UUID) | 7469a916-d0c6-4161-bd33-1ebac5c834c4 |
agentId | string (36 chars, UUID) | 924751e0-196e-4b22-bdbd-f0a9ac6a4e39 |
time (UTC) | string (integer timestamp) | 1755667994 |
origin | string | mulerun.com |
nonce | string (36 chars, UUID) | bd3ff1f9-d5f3-4019-848a-7c74bba0b73a |
signature | string (64 chars, SHA-256 HMAC hex) | 2ae8a94f29beda81f59beca248824fcd91484c5f5744432a47ce2cea0a5c9a6f |
Example URL
https://third-party-url.com/session?
userId=377860de68ec786a091beb5d62836797bac4cf98074bd74af56bcec863696146&
sessionId=25404aaa-b407-4da7-9eb5-8ea6cbcfc9ee&
agentId=924751e0-196e-4b22-bdbd-f0a9ac6a4e39&
time=1755671232&
origin=mulerun.com&
nonce=bd3ff1f9-d5f3-4019-848a-7c74bba0b73a&
signature=dd4f2b82b054ce4324175c83ea9219772caa08863ba76e47cc7f03c57a65ce76
Signature Generation (Python Example)
import json
from datetime import datetime, timezone
import hmac
from hashlib import sha256
nonce = "bd3ff1f9-d5f3-4019-848a-7c74bba0b73a"
request_params = {
"userId": user_sha_id,
"sessionId": str(session_id),
"agentId": "924751e0-196e-4b22-bdbd-f0a9ac6a4e39",
"time": str(int(datetime.now(timezone.utc).timestamp())),
"origin": "mulerun.com",
"nonce": nonce,
}
# Ensure parameters are sorted by key before serialization
sorted_json = json.dumps(request_params, separators=(',', ':'), sort_keys=True)
signature = hmac.new(agent_key.encode(), json.dumps(request_param, sort_keys=True, separators=(',', ':')).encode(), sha256).hexdigest()
request_params["signature"] = signature
β
Important: Use json.dumps(..., sort_keys=True) to ensure consistent serialization order.
Signature Verification (Python Example)
from urllib.parse import parse_qs
import hmac
from hashlib import sha256
import json
agent_key = "your-agent-key" # Shared secret between MuleRun and Agent
query_string = "userId=...&signature=..."
# Parse query string
query_dict = {k: v[0] if len(v) == 1 else v for k, v in parse_qs(query_string).items()}
received_signature = query_dict.pop("signature")
# Recreate canonical string for HMAC
sorted_payload = json.dumps(query_dict, separators=(',', ':'), sort_keys=True)
calculated_hmac = hmac.new(
agent_key.encode(),
sorted_payload.encode(),
sha256
).hexdigest()
# Secure comparison
if hmac.compare_digest(calculated_hmac, received_signature):
# Valid request
pass
else:
# Invalid or tampered request
raise Exception("Invalid signature")
π The agent_key is your Agent Key that you can copy from your agent info in Creator Studio. It should be not be exposed to any 3rd party.
π Security Considerations
To ensure secure and trusted communication, the following mechanisms are implemented:
| Mechanism | Purpose |
|---|
| User ID Hashing | Raw user identifiers are hashed (e.g., SHA-256) to protect user privacy. |
| HMAC Signature | Prevents tampering of query parameters. Ensures authenticity of the request. |
| Timestamp Validation | Requests must be within a valid time window (e.g., Β±5 minutes) to prevent replay attacks. |
| Origin Domain Whitelisting | Only specified domains are allowed to receive iframe requests. Prevents unauthorized embedding. |
| Nonce Usage | Unique per-request identifier to prevent replay attacks and ensure freshness. |
β
Recommended Validation Logic:
π Metering APIs
MuleRun provides two APIs for managing session metering and billing:
Metering Report API
Used by agents to report usage costs for a session. This API supports idempotent metering with automatic deduplication to prevent double billing.
Endpoint: POST https://api.mulerun.com/sessions/metering
Key Features:
- Report usage costs in increments of 0.0001 credits
- Idempotency support via
meteringId to prevent duplicate billing
- Ability to mark reports as final to terminate sessions
- Grace period for late reports after session termination
View Full API Documentation β
Metering Get Reports API
Query usage costs for a given session and retrieve its current status. Useful for verifying reports were received and debugging billing issues.
Endpoint: GET https://api.mulerun.com/sessions/metering/{sessionId}
Returns:
- Current session status (
running, completed, or error)
- Count of successfully processed reports
- Whether final report was received
- List of all metering records with their IDs
View Full API Documentation β
