Since plugins are simply web pages embedded in a sandboxed iframe within Front, how you authenticate users of the plugin is entirely up to you (OAuth, email/password, token etc.). Session storage with cookies will work as you might expect with any web browser.

However, for added security you might also consider the following options.

Setting a Content Security Policy

Restricting the domains that are allowed to embed your plugin is a simple way to ensure that your plugin is not used outside your preferred contexts. Additionally, if you are trying to embed a web page that has an existing content security policy in place, you will need to update that page’s content security policy accordingly.

The HTTP Content-Security-Policy frame-ancestors directive should be updated as follows:

Content-Security-Policy: frame-ancestors https://*.frontapp.com https://*.frontapplication.com;

Token verification

To verify that your plugin is being requested by Front, you can check the auth_secret query parameter when your plugin is rendered. The auth_secret can be found in your plugin settings, and will be sent as a query parameter whenever Front renders your plugin. You can add it as a config var in your app, and then check against the auth_secret query param.

To access the auth_secret from a webserver:

// In your web server, before serving the plugin HTML, get the auth_secret from the plugin's URL and verify that it matches the one saved.
const frontPluginSecret = req.query.auth_secret;

// If the auth_secret does not match, the plugin does not come from Front.
if (frontPluginSecret !== process.env.FRONT_PLUGIN_SECRET)
  return res.sendStatus(401);

// ...proceed with the request.

To access the auth_secret from a static page:

// Access the current url of the page, there are many ways to do that
// this shows one example using the `window` object.
var url = new URL(window.location.href);

// The query param will be attached to the url of the current page
// and you can access it via `auth_secret`
var authToken = url.searchParams.get('auth_secret');