Skip to content



  • Plugins are executed in their environment to prevent security issues
  • Plugins can create their own UI and loaded in a separate view (similar to vscode extensions)
  • Plugins can access the component Api and therefore extend the client UI
  • Plugins can access the WebSocket Connection/Rest API and intercept/transform events
  • Plugins are restricted and can only do actions with the corresponding permission
  • Plugins should be accessible through a store that needs to verify the plugins (with dev options to sideload plugins/add other stores)


  • Can't access the user's token (token plugins should rather be directly integrated into the client (e.g. account switcher))
  • All permissions must meet the purpose of the plugin and must justify why they need the certain permission to be approved
  • Shouldn't be able to make any request, except if it:
    • Requests permission to access the api of the network
    • Requests permission to access a specific domain (e.g. plugins backend)
    • Requests permission to access all domains
  • Shouldn't be able to intercept events, except if it:
    • Requests permission to a specific event(s)
    • Requests permission to all events
  • Needs to request permission to be able to extend the client's UI

more coming soon

Back to top