To create a new plugin, go to Settings > Plugins & API > Plugins and click on "Add a plugin".
Enter the name and URL of your plugin. Select the SDK version v1.0.0 to use the latest version.
If you are building a Partner Integration that you want to publish for all Front customers, we recommend that you build and test your plugin in a demo instance first. Once it’s ready to go, we’ll work with you according to our partnership process to get the plugin published for everyone.
You can use any web framework or library you wish: it's just a web page embedded in Front.
To receive updates about the conversation a user is viewing or take actions such as adding a tag or creating a draft, please refer to the Plugin SDK Reference.
Note that plugins are not supported on the Front mobile apps.
Since plugins are simply web pages embedded in a sandboxed iframe within Front, how you authenticate users of the plugin is entirely up to you (OAuth, email/password, token etc.). Session storage with cookies will work as you might expect with any web browser.
However, for added security you might also consider the following options.
Restricting the domains that are allowed to embed your plugin is a simple way to ensure that your plugin is not used outside your preferred contexts. Additionally, if you are trying to embed a web page that has an existing content security policy in place, you will need to update that page’s content security policy accordingly.
frame-ancestors directive should be updated as follows:
Content-Security-Policy: frame-ancestors https://*.frontapp.com https://*.frontapplication.com;
To verify that your plugin is being requested by Front, you can check the
auth_secret query parameter when your plugin is rendered. The
auth_secret can be found in your plugin settings, and will be sent as a query parameter whenever Front renders your plugin. You can add it as a config var in your app, and then check against the
auth_secret query param.
// In your web server, before serving the plugin HTML, get the auth_secret from the plugin's URL and verify that it matches the one saved. const frontPluginSecret = req.query.auth_secret; // If the auth_secret does not match, the plugin does not come from Front. if (frontPluginSecret !== process.env.FRONT_PLUGIN_SECRET) return res.sendStatus(401); // ...proceed with the request.
A note about our sample plugin
With the release of the plugin SDK v1, the legacy version is now deprecated. Our sample plugin utilizes the legacy SDK. While still supported, new features and improvements will be exclusive to the current version.
For more on how to migrate from the legacy SDK to current head to our migration guide.
Updated about a month ago