Getting Started

Creating a plugin

To create a new plugin, go to Settings > Plugins & API > Plugins and click on "Add a plugin".
Enter the name and URL of your plugin. Select the SDK version v1.0.0 to use the latest version.

If you are building a Partner Integration that you want to publish for all Front customers, we recommend that you build and test your plugin in a demo instance first. Once it’s ready to go, we’ll work with you according to our partnership process to get the plugin published for everyone.

Interacting with the Front UI

You can use any web framework or library you wish: it's just a web page embedded in Front.
To receive updates about the conversation a user is viewing or take actions such as adding a tag or creating a draft, please refer to the Plugin SDK Reference.

Note that plugins are not supported on the Front mobile apps.


Since plugins are simply web pages embedded in a sandboxed iframe within Front, how you authenticate users of the plugin is entirely up to you (OAuth, email/password, token etc.). Session storage with cookies will work as you might expect with any web browser.

However, for added security you might also consider the following options.

Setting a Content Security Policy

Restricting the domains that are allowed to embed your plugin is a simple way to ensure that your plugin is not used outside your preferred contexts. Additionally, if you are trying to embed a web page that has an existing content security policy in place, you will need to update that page’s content security policy accordingly.

The HTTP Content-Security-Policy frame-ancestors directive should be updated as follows:

Content-Security-Policy: frame-ancestors https://* https://*;

Token verification

To verify that your plugin is being requested by Front, you can check the auth_secret query parameter when your plugin is rendered. The auth_secret can be found in your plugin settings, and will be sent as a query parameter whenever Front renders your plugin. You can add it as a config var in your app, and then check against the auth_secret query param.

// In your web server, before serving the plugin HTML, get the auth_secret from the plugin's URL and verify that it matches the one saved.
const frontPluginSecret = req.query.auth_secret;

// If the auth_secret does not match, the plugin does not come from Front.
if (frontPluginSecret !== process.env.FRONT_PLUGIN_SECRET)
  return res.sendStatus(401);

// ...proceed with the request.

Sample plugin

We provide a small sample plugin that shows some basic things you can do using our Javascript API. You can check the code on If you want to test directly, you can even set the plugin URL to be to see what the basic plugin can do.


A note about our sample plugin

With the release of the plugin SDK v1, the legacy version is now deprecated. Our sample plugin utilizes the legacy SDK. While still supported, new features and improvements will be exclusive to the current version.

For more on how to migrate from the legacy SDK to current head to our migration guide.

Did this page help you?