Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.qflowhub.io/llms.txt

Use this file to discover all available pages before exploring further.

If your enterprise account is set up with Qflow’s white-label option, you can embed the Qflow dashboard inside an iframe in your own portal and sign your users into it without a password prompt. They see Qflow events, guest lists and statistics — fully branded as you, fully inside your product.

How it works

  1. You generate a short-lived SSO token server-side, encrypted with a shared secret only you and Qflow know.
  2. You embed an iframe pointing at https://<your-enterprise>.qflowhub.io/sso?successUrl=...&token=<encrypted>.
  3. Qflow decrypts the token, signs the named user in, and redirects to successUrl (e.g. the events list, or a specific event).

Prerequisites

You’ll need three things, all provided by Qflow when your enterprise white-label is set up:
ItemWhat it isExample
Enterprise PINShort identifier for your enterprise (also used in usernames)123
Enterprise key (KEY)Shared secret used for AES encryption — server-side only, never exposed to browsershfdg8AZgkKCQcNCgwOBAYIBa
Enterprise prefixSubdomain we host your branded portal onyour_enterprise.qflowhub.io
You’ll also need the user GUID of the user you want to sign in. Each user in your enterprise has a unique id — see the Users API for creating and listing users.
The enterprise key is the encryption secret. Anyone with it can sign in as any user in your enterprise. Keep it server-side only — never ship it to a browser, mobile app, or public repo. If exposed, contact support to rotate.

The encryption recipe

The token is <userId>@<enterprisePin> encrypted with AES-256-CBC using your enterprise key, then Base64-encoded and URL-encoded. 
plaintext  = "<userGuid>@<enterprisePin>"
key        = your enterprise KEY (32-byte string)
iv         = "qflow_sec_vector"     (fixed 16-byte IV — same for everyone)
ciphertext = AES-256-CBC(key, iv).encrypt(plaintext)
encoded    = url_encode( base64_encode( ciphertext ) )
The result goes in the token query parameter on the SSO URL.

Examples

<?php
$userId         = '050f4a44-d7d1-452e-837a-0d2759dcfa69';
$enterprisePin  = '123';
$enterpriseKey  = 'hfdg8AZgkKCQcNCgwOBAYIBa';

$plaintext = $userId . '@' . $enterprisePin;
$iv        = 'qflow_sec_vector';

$encrypted = openssl_encrypt(
    $plaintext,
    'AES-256-CBC',
    $enterpriseKey,
    OPENSSL_RAW_DATA,
    $iv
);

$token = urlencode(base64_encode($encrypted));

$ssoUrl = 'https://your_enterprise.qflowhub.io/sso?successUrl=/events&token=' . $token;
echo '<iframe src="' . $ssoUrl . '" width="100%" height="900"></iframe>';
?>

Embedding

Place the resulting URL in an iframe src: 
<iframe
  src="https://your_enterprise.qflowhub.io/sso?successUrl=/events&token=<encrypted_token>"
  width="100%"
  height="900"
  frameborder="0">
</iframe>
The iframe parent (your portal) needs to be on a domain we’ve allow-listed as a referrer. Send us the domain when you’re set up.

successUrl — where to land

successUrl is the path inside the Qflow dashboard the user is redirected to after sign-in. Common targets:
successUrlWhat it shows
/eventsThe full events list for the user
/events/edit/<eventId>Edit page for a specific event
/events/edit/<eventId>?act=guestsGuest list for a specific event
/events/edit/<eventId>?act=statsStatistics for a specific event
Keep successUrl to a path; don’t include the host. The browser combines it with the enterprise host automatically.

Security notes

  • Always generate the token server-side. Never compute the encryption in the browser — the key would be exposed.
  • Tokens are short-lived per the iframe load. Generate a fresh token each time the iframe is rendered; don’t reuse stale ones.
  • Validate the userId belongs to your enterprise before generating the token. Don’t blindly accept any GUID from your own UI without a server-side check, or a hostile client could probe other users’ accounts.
  • Revoke users in the Users API rather than relying on stopping token generation — a deactivated user signed in via SSO is still effectively signed in until they log out or the session expires.

Getting set up

White-label setup (enterprise prefix domain, branding, allow-listed parent domain, enterprise key issuance) is done by Qflow support. Email support@qflowhub.io with your enterprise PIN and the parent domain you’ll embed from to get started.