Skip to content



  • Plugins are executed in their environment to prevent security issues.
  • Plugins can create their own UI and loaded in a separate view (similar to vscode extensions).
  • Plugins can access the component Api and therefore extend the client UI.
  • Plugins can access the WebSocket Connection/Rest API and intercept/transform events.
  • Plugins are restricted and can only do actions with the corresponding permission.
  • Plugins should be accessible through a store that needs to verify the plugins (with dev options to load plugins/add other stores).


  • Can't access the user's token (token plugins should rather be directly integrated into the client (e.g. account switcher)).
  • All permissions must meet the purpose of the plugin and must justify why they need the certain permission to be approved.
  • Shouldn't be able to make any request, except if it:

    • Requests permission to access the api of the network.
    • Requests permission to access a specific domain (e.g. plugins backend).
    • Requests permission to access all domains.
  • Shouldn't be able to intercept events, except if it:

    • Requests permission to a specific event(s).
    • Requests permission to all events.
  • Needs to request permission to be able to extend the client's UI.

more coming soon