Want to dive right in?
xumm: When referring to xumm we mean the xumm app which is only for iOS or Android devices.
xumm platform: When referring to the xumm platform we mean the API for developers to deliver sign requests to their end users via the xumm app.
xumm API: When referring to the xumm API we mean the xumm API associated with the xumm platform.
application: When referring to application we mean the developers own application and NOT the xumm app.
XRP transactions are usually user initiated: open your wallet, enter the destination, amount, etc. and then you submit your transaction. In retail / e-commerce (and many other) scenario's, by "reversing" this process, the payment flow will become less prone to mistakes and much more user friendly.
This is where the xumm platform comes in. An XRPL transaction "template" can be posted to the xumm API. Your sign request will be stored (called a payload), so the xumm app user can open the sign request (by scanning a QR, deeplink or push notification) and resolve (reject/sign) on their own device.
When a user signs your sign request, he or she can trust your application. In this case an application specific user token will be generated for your application, and future payloads will be delivered straight to the end user with a push notification.
As the xumm platform offers different status update options with all information you need to verify the signed transaction on the XRP ledger, you can, but don't have to rely on transaction callback information or transaction submission by the xumm app.
Please note that the xumm platform only allows API calls from a server side backend. If you initiate a sign request from your frontend, make sure your backend adds the destination account address and redirect URL's, as it's a security risk if those values are based on user input or frontend provided data.
A server to server architecture is required for security reasons: when sign requests could be generated and posted to the xumm API from a client side environment, an attacker could easily create sign requests on behalf of other apps.
Updated about 2 months ago