Iframe microservices and postMessage api secure

Question

I'm trying to understand, how can I protect my SPA. Application based on microservices, and contains modules which host on couple server. These modules works like SPA e.g. page with accounting module is a separate application. All of modules are hosted in main application in iframe component. I create communication between rely on send message by postMessage() Of course, I also check the origin in each action. I want to pass data(also sensitive) between iframe and main application. I came up with a diagram for developers:

1. A registered user will receive an identification key,
2. The SPA module would have to meet the requirements of the CROS Policy. This is how I provide a proxy.
3. The SPA module should have an authentication module that allows access to the API, database, etc.
4. Obviously SPA module and parent APP on SSL protocol.

Of course, I don't know how to create a strong authentication module for this case. Maybe all you need to do is provide the secret key inside the postMessage request. Maybe it's more complicated than I think.

I will add: I want to provide an interface to create your own modules (embedded spa) for developers. This may be a similar solution to google maps. In this case, maybe additional secure isn't necessary - I don't know? I have problem with understanding.