Quickstart

This page walks you through the minimum work required to embed the iframe in your application, run an analysis, and retrieve the resulting DiagnosticReport. Everything described here can be customised further; see the Configure → Customize page for the full parameter reference.

1. Get a company identifier

The iframe authenticates by means of a company identifier (also called app key) that is appended to the iframe URL as the company query parameter.

You generate this identifier from your S2S API token by calling the POST /company-app-keys endpoint described in the Security page. Each generated key has an explicit expiresAt, so you should treat the company identifier as a short-lived credential and refresh it for every new iframe load.

Never embed the S2S API token

The S2S API token is the secret used to mint company identifiers. It must stay on your backend. Only the resulting short-lived company value (the appKey) is safe to put in the iframe URL.

2. Build the iframe URL

The iframe is served from https://iframe.legit.health. Append the parameters you need; only company is mandatory:

<iframe
  src="https://iframe.legit.health/?company=YOUR_COMPANY_ID"
  width="100%"
  height="800"
></iframe>

Use the generator below to preview a configuration and copy the resulting URL. For the full parameter reference, see the Configure → Customize page.

Company Identifier

Primary Color

#

Secondary Color

#

Font FamilyRobotoMontserrat

Macroscopic imageDisabledOptionalRequired

LocaleEnglishSpanish

Enable generic anamnesis questionnaire

Enable extended instructions

Enable qr upload

Display result after submitting

Enable alternative camera module (all operating systems)

Enable alternative camera module (Android)

Is for patient

Enable diagnostic support

Enable extra data in PDF

(Optional) Forced Scoring Systems

Acne Lesion estimation grading index (ALADIN)

Generalized Pustular Psoriasis Physician Global Assessment (AGPPGA)

International hidradenitis suppurativa severity score system (AIHS4)

Automatic Psoriasis Area and Severity Index (APASI)

Automatic Severity of ALopecia Tool (ASALT)

SCORAD for dermatitis/atopic dermatitis (ASCORAD)

Urticaria Activity Score (AUAS)

Pressure ulcers assessment (AWOSI)

Psoriatic arthritis UnclutteRed screening Evaluation (PURE-4)

7-point checklist for pigmented lesions (7PC)

Urticaria Control Test (UCT)

Extra Data

---

Iframe URL

https://iframe.legit.health?company=5hs4s2mK5ajoUAZRKKb5JYEDCoZj3yNWNn18RaqTR4qnBzgViZfwmPNVWa3aci5m&primary=0079c8&secondary=0079c8&fontFamily=Roboto&macroscopicMedia=0079c8&enableResult=0&isForPatient=1&locale=es&showQuestionnairesHeader=1&enableAnamnesis=0&enableQrUpload=0&enableExtendedInstructions=0&enableAlternativeCameraModule=0&enableAlternativeCameraModuleAndroid=0&enableDiagnosisSupport=1&enableExtraDataInPdf=0&extraData=user3278293928

Replace the default identifier

The generator uses a sample company identifier so the preview works. Replace it with your own identifier before deploying.

3. Listen for the result

When the user finishes the upload, the iframe posts a message announcing that the analysis is complete and includes the identifier of the resulting report:

window.addEventListener("message", function (event) {
  if (event.data.message !== "analysis_completed") {
    return;
  }
  const reportId = event.data.id;
  // store reportId, fetch the report from your backend, etc.
});

The same message is delivered through different transports on iOS and Android. See the Callbacks → Analysis completed page for the per-platform code, and the Platforms section for the embedding details on each runtime.

4. Retrieve the report

Once you have a report identifier, your backend fetches the full DiagnosticReport from the API:

curl -X GET "https://api.example.com/s2s/v3/anonymous-diagnostic-reports/{encryptedId}?format=raw&locale=en" \
  -H "X-API-TOKEN: YOUR_S2S_TOKEN" \
  -H "accept: application/json"

The response includes a PDF download URL and a live report URL you can embed back into your interface. See the Output → API Endpoint page for the parameters and response shape, and the Output → JSON Schema section for the full payload schema.

End-to-end sequence

The diagram below shows the full lifecycle of a single analysis. Steps 1, 3, 5 and 6 are the only ones that require integration effort on your side: loading the iframe, storing the reportId from the postMessage, and calling the Legit.Health API from your backend to retrieve the DiagnosticReport. Every other step is handled by the iframe, the user, or the Legit.Health API.

Next Steps

• Customize the iframe? See the Configure → Customize page.
• Secure production access? See the Configure → Security page.
• Understand the callback structure? See the Callbacks section.
• Display or process the results? See the Output section.