Skip to content
LootBox Solutions

Guest mode

Anyone can see boxes without logging in — the catalog API, the recommended widget, and a box page all render to logged-out visitors by default. Browsing needs nothing special.

“Guest mode” is specifically about the box page: it shows a box to an anonymous visitor — art, price, odds, prizes, branding — but opening requires authentication, because spending needs a session and a wallet behind the player. It’s ideal for marketing surfaces, a logged-out home page, or SEO-friendly previews.

The only thing a guest can’t do is open/buy a box. Browsing lists, viewing a box, and theming are identical to a logged-in player.

Launch a guest box page

Pass a boxId instead of a token:

<iframe
  src="https://{operator}.app.lootboxsolutions.com/play?boxId=42&parent=https://casino.example"
  style="width:100%;height:640px;border:0">
</iframe>

The game app fetches a read-only bootstrap (box details, price, theme) and renders the box with its call-to-action — but the player can’t open it, because there’s no authenticated session or wallet yet. When a guest taps the CTA, the iframe emits play:auth-required:

{ "source": "lootbox-solutions", "type": "play:auth-required", "boxId": 42, "priceMinor": 500, "currency": "EUR" }

Convert without a reload

Casinos that authenticate players via their own API (an SPA, no full page load) can upgrade the same iframe from guest to authenticated in place — no src swap, no reload, the box stays on screen:

  1. Sign the visitor in (your flow).
  2. Mint a launch token server-side for the now-known playerExternalId, targeting the same boxId.
  3. Send the authenticate command into the iframe with that token. The game app exchanges it, switches to the authenticated session, and emits session:authenticated when done.
const FRAME = document.querySelector('#lootbox-solutions-iframe');


window.addEventListener('message', async (e) => {
  if (e.data?.source !== 'lootbox-solutions') return;
  if (e.data.type === 'play:auth-required') {
    const player = await signInFlow();                       // your API — no page reload
    const { launchToken } = await mintLaunch(player.id, { boxId: e.data.boxId });
    FRAME.contentWindow.postMessage(
      { source: 'host', type: 'authenticate', launchToken },
      'https://{operator}.app.lootboxsolutions.com');
  }
  if (e.data.type === 'session:authenticated') {
    // now logged in inside the same iframe — sync your own chrome if you want
  }
});

Convert with a reload

If your sign-in necessarily reloads the page (server-rendered flows), just re-embed the authenticated launchUrl instead:

const { launchUrl } = await mintLaunch(player.id, { boxId });
document.querySelector('#lootbox-solutions-iframe').src = launchUrl;

What guests can and can’t do

CanCan’t
Browse boxes (lists, widget, box page)Open / buy a box
See prices, odds, branding & themeHave a balance or inventory
Trigger play:auth-requiredPersist a session

Guest mode keeps the funnel inside your surface: the visitor sees real boxes, and intent to play converts cleanly — in place for SPAs, or via a re-embed.