To show a live desktop session in your end-user’s browser — for “watch the AI work” UI, manual takeover, or kiosk-style apps — embed MIOSA’s KasmVNC stream.

The flow

1. Your backend asks MIOSA for a terminal ticket for a running computer
2. MIOSA returns a short-lived signed URL pointing at the stream gateway
3. Your frontend renders an iframe with that URL
4. The user sees the live desktop; keyboard/mouse input is forwarded into the VM

Mint a ticket

Response:

{
  "token": "miosa_term_...",
  "url": "https://stream.miosa.app/computer/cmp_xxx?ticket=miosa_term_...",
  "expires_at": "2026-05-14T19:30:00Z"
}

url is what you embed. token is also returned in case you need to construct your own URL (custom stream proxy, etc.).

Embed

KasmVNC handles pixel streaming + input forwarding inside the iframe. The user clicks / types in the iframe and those events go to the desktop.

What’s streamed

• Pixels — encoded video; KasmVNC defaults to a lossy codec tuned for desktop content.
• Cursor position — overlay rendered client-side.
• Audio — optional, off by default. Pass ?audio=1 if your app needs it.
• Clipboard — bidirectional, gated by the iframe’s allow="clipboard-read; clipboard-write".

Read-only mode

For “user watches the agent” UI where the end-user shouldn’t interact with the desktop:

const ticket = await computer.terminalTicket({ readOnly: true })

Input events from the iframe are dropped at the stream gateway. Useful for compliance-sensitive flows where only the AI agent should touch the screen.

Bandwidth

Default codec / bitrate is tuned for typical desktop content (~500 Kbps - 2 Mbps). For high-motion content (video playback inside the VM), the codec adapts but expect higher bitrate. The stream gateway is geo-routed to the user’s nearest region for lower latency.

Lifetime

Tickets are short-lived (default 1 hour, max 24 hours; configurable per plan). When a ticket expires the stream disconnects; your frontend should watch expires_at and re-mint before that.

Multiple tickets per computer are fine. Multiple browsers can watch the same desktop simultaneously — they all see the same pixels.

Custom domains / branded streaming

White-label customers can configure stream.<your-domain> to front MIOSA’s stream gateway, so end users see your brand in the iframe URL. Same DNS / TLS flow as Deployment Domains, different target. Contact support to set up.

CSP

The stream gateway emits Content-Security-Policy allowing the stream to be embedded from approved origins:

• Default: *.miosa.app, *.miosa.ai, localhost:4000.
• For white-label: add your platform origin via tenant config.

If your iframe doesn’t render, check the parent page’s CSP isn’t blocking the iframe and that the stream gateway CSP includes your origin.

Audit

Each ticket issuance emits an audit event with:

• The computer ID
• The token prefix
• Issuing API key
• External attribution

If a ticket is leaked, you can revoke all outstanding tickets for a computer:

DELETE /api/v1/computers/$CID/terminal-tickets

See also

• Overview — what you’re embedding
• Desktop Control — programmatic control of the same desktop
• Browser Tokens — analogous pattern for sandbox previews