๐ง๐ต๐ฒ ๐ง๐ผ๐น๐ด๐ฒ๐ฒ ๐๐ฝ๐ฝ๐ ๐ฆ๐๐ผ๐ฟ๐ You need a way to add new features to your platform without affecting the core codebase. This is where plugins come in.
- They allow you to add new functionality without modifying the core platform.
- They provide a way to test new features with a small group of users before rolling them out to everyone.
We built Tolgee Apps using the "embedded iframe app" model. This model uses a JSON manifest to declare modules and scopes, sandboxed iframes, a postMessage bridge, and signed webhooks.
- It's language-agnostic, so app authors can deploy anywhere.
- It provides true origin isolation, so the plugin's JavaScript runs in a separate browsing context.
Here's how it works:
- The app's manifest declares its metadata, UI modules, required scopes, and webhook subscriptions.
- Tolgee renders each UI module inside a sandboxed iframe and hands it a scoped context over postMessage.
- The app can call the Tolgee REST API with a short-lived JWT token.
The auth model is based on a short-lived JWT token that uses a dedicated audience and carries only identity claims.
- The token is minted when the app's iframe is rendered.
- The app uses its clientSecret for server-side operations.
Tolgee Apps are still in the proof-of-concept stage, but we're planning to release a working production version soon.
- The next step is to split the work into smaller chunks and start implementing from scratch.
- We'll carefully review everything to make sure the security and code quality are solid.