How does authentication work in the viewer?

The viewer authenticates via API key (query parameter or header) or by marking a specific pedigree as public. For patient portals and EHR embed, use an API key held server-side and rendered into a short-lived signed URL — do not expose the key to the browser. Public-pedigree mode is appropriate for demos, research outreach, and published research figures.

Is the viewer safe inside a cross-origin iframe?

The viewer supports Content Security Policy headers and frame-ancestors directives so hosting domains can restrict where the viewer loads. For EHR and patient-portal use, configure frame-ancestors to the explicit host domain and use strict Referrer-Policy. Evagene sets appropriate X-Content-Type-Options and related response headers on its endpoints.

Can I style the embedded pedigree?

The SVG and iframe embeds respect a small set of query parameters controlling size, theme (light/dark), and label density. Deep styling of the pedigree itself happens in the Evagene UI; the embed surface is intentionally narrow so the visual output remains clinically consistent.

What happens when the pedigree updates?

The viewer fetches the current state when loaded. For live updates, wire the hosting page to Evagene's pedigree.updated webhook via your integration service — when it fires, trigger a re-render (iframe reload or re-fetch of the SVG) client-side. Evagene does not currently push server-sent events directly to the viewer.

Can I use the viewer without an Evagene account for my users?

Yes. The viewer needs an API key to fetch a private pedigree, but that key is held by your integration service — your end users never see it or sign into Evagene. This is the standard pattern for patient portals and EHR web-content embeds.

Embeddable Pedigree Viewer — iframe, SVG, JavaScript Snippet (2026)

Q: What are the three embed modes?

Iframe to a self-contained HTML page (interactive, scriptable), raw SVG endpoint (static, lightweight, pastes into an img or object tag), and JavaScript snippet (auto-discovers data-evagene-pedigree attributes on the page and renders SVG inline). Use the iframe for full interactivity, SVG for simple display, and the JavaScript snippet when you want inline SVG without managing iframes.

Short version. Evagene's embeddable pedigree viewer ships in three modes. The iframe mode embeds a self-contained HTML viewer with interactivity (zoom, pan, individual focus). The raw SVG mode exposes the pedigree as a static SVG file usable in any img, object, or inline context. The JavaScript snippet mode discovers data-evagene-pedigree attributes on your page and renders SVG inline so the pedigree is part of your DOM. Authentication is via API key held by your server, or by marking a specific pedigree as public. CSP, frame-ancestors, and Referrer-Policy are under your control. Use the iframe for interactive views in patient portals and EHR embeds, raw SVG for lightweight display and print, and the JavaScript snippet for research dashboards where the pedigree participates in page-level styling.

This page walks through each mode, the trade-offs, and the security considerations — with honest notes about when to reach for each.

Why three modes?

Clinical pedigree diagrams get embedded into very different contexts. A patient portal wants an interactive view with hover labels and zoom; a publishing pipeline wants a static SVG it can drop into a PDF; a research dashboard wants inline SVG it can style with its own CSS and annotate alongside charts. One embed shape does not fit all of these. Evagene therefore ships three:

iframe — an isolated viewer loaded from Evagene's domain with its own JavaScript, rendering logic, and interactive controls.
raw SVG — a plain SVG file served from an Evagene endpoint, usable anywhere SVG is usable.
JavaScript snippet — a small script you include once per page; it scans for data-evagene-pedigree attributes and inlines the corresponding SVG.

All three render the same clinical notation (NSGC-style symbols, affected status, deceased markers, proband arrow, consanguinity loops) so the visual output is consistent regardless of the mode your integration uses.

Mode 1: iframe embed

The iframe is the most common choice for user-facing embeds. It isolates the viewer's script context from the hosting page, which is desirable both for stability and for defence-in-depth.

<iframe
  src="https://evagene.com/embed/pedigree/ped_9f2b...?api_key=evg_xxx&theme=light"
  width="100%"
  height="560"
  frameborder="0"
  loading="lazy"
  sandbox="allow-scripts allow-same-origin">
</iframe>

Design notes:

In production, do not put the API key in the browser. Your server generates a short-lived signed URL or holds the key and proxies the request, so the browser sees only an opaque viewer URL.
Set sandbox attributes deliberately. For a read-only viewer in a patient portal, allow-scripts allow-same-origin is typical; omit allow-top-navigation and allow-popups unless you need them.
Use loading="lazy" for below-the-fold embeds to reduce initial page weight.

Mode 2: raw SVG

For pipelines that need a static image — PDFs, print reports, research figures, email summaries — the raw SVG endpoint returns the pedigree as an SVG file you can embed directly.

<!-- Inline SVG from a server-rendered HTML page: -->
<img src="https://evagene.com/embed/pedigree/ped_9f2b.../svg?theme=light"
     alt="Family pedigree" />

<!-- Or as an object that preserves SVG scalability: -->
<object type="image/svg+xml"
        data="https://evagene.com/embed/pedigree/ped_9f2b.../svg"></object>

Design notes:

The SVG endpoint authenticates via API key too. For public research figures, mark the pedigree as public and drop the authentication entirely.
SVG is vector: it prints cleanly and scales to any size without degradation, which matters for clinical reports.
Use object or iframe if you want the SVG's internal CSS to apply fully; use img if you want CSS isolation and a simpler element.

Mode 3: JavaScript snippet

The snippet mode is for pages that want the pedigree to live inside the page's DOM — for example, a research dashboard that overlays annotations, or a page that wants the pedigree to participate in the page's own theme and CSS variables.

<!-- Once per page: -->
<script src="https://evagene.com/embed.js" async></script>

<!-- Anywhere on the page: -->
<div data-evagene-pedigree="ped_9f2b..."
     data-evagene-api-key="evg_xxx"
     data-evagene-theme="light"></div>

Design notes:

In production the data-evagene-api-key is server-injected after the host page has verified the current user's access to that pedigree — do not hard-code it in static HTML.
The snippet inlines SVG, so the pedigree is part of your page's DOM and your CSS can reach it (with the obvious caveat that deep styling changes to clinical notation are rarely a good idea).
Initial paint is slightly later than the iframe mode because of the additional script parse step.

Worked patterns

Patient portal family-history tab

A patient portal adds a "Family History" tab showing the pedigree the genetics service has constructed. The portal's backend holds the Evagene API key, generates a signed short-lived iframe URL when the patient opens the tab, and renders it. The patient sees the pedigree but never sees the key or an Evagene login. When the clinician updates the pedigree, Evagene fires pedigree.updated; the portal invalidates the tab's cache so the next load shows the updated state.

Research dashboard

A research group builds a Streamlit-style dashboard showing pedigree plots next to variant tables. The dashboard uses the JavaScript snippet mode so each pedigree is inline SVG, styled to match the dashboard's dark theme, and can be annotated with the dashboard's own overlays. Pedigrees are batch-loaded via the REST API; the embed is purely for display.

EHR-lite web-content embed

A clinical service without a full EHR integration budget embeds the iframe viewer inside an Epic hyperspace web-content frame or Oracle Health equivalent. See EHR pedigree integration for the end-to-end pattern and governance considerations.

Print and PDF reports

A reporting pipeline generates clinical letters in PDF. At generation time, the pipeline fetches the raw SVG for each pedigree and drops it into the PDF using an SVG-aware renderer. The result is a crisp, vector pedigree on the letter rather than a rasterised screenshot.

Security considerations

Embedding a clinical diagram on a third-party page is a classic cross-origin problem. Evagene gives you the primitives; your integration owns the policy.

Content Security Policy. Configure frame-src to allow Evagene's embed host only; configure frame-ancestors on Evagene's response headers (via deployment config) to allow only your host domains.
Referrer-Policy. Use strict-origin-when-cross-origin or no-referrer when embedding into patient-facing contexts so pedigree IDs do not leak via referrer headers.
API key handling. Never expose a write- or analyse-scope key to the browser. Use a read-scope key for embed, and hold it server-side. Consider rotating keys regularly and using IP allow-lists on the Evagene side.
Sandboxing. For the iframe mode, use the sandbox attribute with the minimum capabilities needed.
Audit. Evagene logs API-key usage; your integration should log embed serve events on its side so you can correlate and investigate.

How this works in Evagene

The viewer is an API client: it calls the pedigree REST API with a read-scope key to fetch the pedigree's individuals and relationships, then renders standard clinical notation. Authentication and scope-checking are handled on the API side, so the viewer's behaviour is consistent across modes. Public pedigrees skip auth entirely — useful for demos and published research figures.

Pedigree data flowing into Evagene (via GEDCOM import, 23andMe, or image OCR), analysis output (BRCAPRO, MMRpro, PancPRO, Mendelian, AI interpretation), and annotation changes all flow back out through the same viewer automatically. If an MCP-driven AI agent modifies the pedigree, the next viewer load reflects the change.

Frequently asked questions

What are the three embed modes?

Iframe (interactive, isolated), raw SVG (static, lightweight), JavaScript snippet (inline SVG). Use iframe for patient portals and EHR embed, SVG for print and PDF, snippet for dashboards.

How does authentication work?

API key held server-side, or mark the pedigree public for demos and published figures. Never expose write/analyse keys to the browser.

Is the viewer safe cross-origin?

Yes, with CSP, frame-ancestors, and Referrer-Policy configured. Use the iframe sandbox attribute and lock scopes down.

Can I style the pedigree?

Small set of query parameters (size, theme, label density). Deep styling is intentionally constrained to keep clinical notation consistent.

What about live updates?

Drive re-render from the pedigree.updated webhook via your integration service. No direct server-push to the viewer today.

Do my users need Evagene accounts?

No. Your integration holds the API key. Your users see only the pedigree.

Embeddable pedigree viewer: iframe, SVG, and JavaScript snippet

Why three modes?

Mode 1: iframe embed

Mode 2: raw SVG

Mode 3: JavaScript snippet

Worked patterns

Patient portal family-history tab

Research dashboard

EHR-lite web-content embed

Print and PDF reports

Security considerations

How this works in Evagene

Frequently asked questions

What are the three embed modes?

How does authentication work?

Is the viewer safe cross-origin?

Can I style the pedigree?

What about live updates?

Do my users need Evagene accounts?

Related reading

Evaluate Evagene for your service