Custom Plugin Development

Get started with your custom plugin development.

Custom plugins are embedded web applications that extend the functionality of the Staffbase platform. Start building the solution you have envisioned and streamline content and processes for users.

When developing custom plugins for the Staffbase platform, you have the following choices:

  • Development team
    • You can develop plugins with your in-house team or outsource it to our partners or vendors. Staffbase has built a network of technical implementation partners and we are happy to support you to find the right partner or vendor.
  • Programming language
    • You can choose the programming language of your choice. We provide you with NodeJS and PHP.


Before you start developing the custom plugin, ensure that your custom plugin meets the requirements for embedded web applications and can also function on mobile devices:

  • The X-Frame-Options header is set to allow rendering of custom plugin in an iframe.
    Note: The Content-Security-Policy (CSP) HTTP header has a frame-ancestors directive which obsoletes the X-Frame-Options header for supporting browsers. To ensure that rendering is supported on all browsers, set the CSP entry for the frame-ancestors directive as:
    • Content-Security-Policy: frame-ancestors 'self' http://{appdomain} https://{appURL} capacitor://{appdomain} capacitor:// localhost:*;
      The appURL is the full URL of the application. The appdomain is only the domain of the URL.
      For example, if your application URL is, the appURL is, the appdomain is
  • You need to make sure that not only the domain of your Staffbase app or intranet is added to the frame-ancestors directive, but also capacitor://{appdomain} capacitor:// localhost:* to support rendering the custom plugin in the mobile apps.
  • The custom plugin URL uses HTTPS.
    Note: The requirements for the SSL certificate are higher for mobile devices than desktop devices. An A or A+ on this test is usually a good sign that it will work. Test your URL, here.
  • Supports the remote deletion and remote log out in compliance with the General Data Protection Policy (GDPR), the law on data protection and privacy.
  • Must not rely on cookies to store sessions in browsers.
  • If cookies are used in browsers, ensure to flag them as Secure, HttpOnly and SameSite=None

For more details on what is required, check our SDKs. As soon as all the requirements for the custom plugin are met, you are ready to start the development.

Staffbase SDKs

Use an SDK to help you easily build a web application that can be embedded into the Staffbase environment:

We recommend to use our SDK for NodeJS and the project skeleton generator that comes along with it.

If you are developing your own plugin for your Staffbase app, you may want your plugin to communicate with our clients. In order to make this possible we implemented a JavaScript based API and communication layer for all our apps. We want to provide a library to help you improve your plugin functionality. This SDK provides the basic functionality to get information provided by the Staffbase app to your plugin and trigger application events.
If you want to direct users to a specific page or content in your plugin, create deep links. Learn more about it here.

Finally, test and ensure that the web application you developed using the SDK runs on the web server it is hosted.

Provide Staffbase With Custom Plugin Specifications

Before custom plugin authentication constraints can be specified to establish authorized communication between the plugin and the Staffbase server, Staffbase requires the specifications of the plugin to provide the information.

Reach out to to receive the datasheet to provide the plugin specifications. Fill out the datasheet with specifications, such as:

Publisher Details

  • Publisher Name: The name of the publisher of the custom plugin. This can be either the name of the developer or your organization.
  • Publisher Webpage: The webpage you want to add for the custom plugin. This will be displayed as a hyperlink to the publisher name.
  • Support Email: The support email to reach out to in case of assistance in the matter of the custom plugin lifecycle.

Custom Plugin Description

  • Name: The name of the custom plugin. The maximum character length is 20.
  • Synopsis: A short description of the custom plugin.
  • Entity Singular: The labels on the interface referring to the custom plugin in singular form. The maximum character length is 20.
    Example: The button Add <name of the custom plugin> to add an instance of the custom plugin.
  • Entity Plural: The labels on the interface referring to the custom plugin in plural form. The maximum character length is 20.
    Example: The heading on the interface to list all the instances of the custom plugin.
  • Entity Add New: The label on the interface referring to the add a new instance of the custom plugin. The maximum character length is 20.
  • Color: The hexadecimal color codes used in the custom plugin.
    Example: #FFFFFF
  • Icon: The icon you want to use in the custom plugin. You can select from one of the available Staffbase Icons or opt for custom icons. If you opt for a custom icon, you can add the custom icon in the menu, once the custom plugin is installed.

Custom Plugin Specifications

  • Custom Plugin URL: This includes custom plugin URLs for user-facing interface and the Staffbase Studio.
  • Custom Plugin Availability: This includes details, such as:
    • available only to logged in users or even to non-logged in users (public area)
    • available to only your organization or available to other Staffbase customers as well

Specify the Authentication Parameters for Your Custom Plugin

You need to specify authentication parameters in the code of your custom plugin. In order to ensure that the request from the Staffbase server can be authenticated by the host of the custom plugin. The authentication parameters required are:

  • Plugin ID: To identify the custom plugin that needs authentication.
  • Public Key: To authenticate the communication.

Staffbase provides you with the authentication parameters, after you have submitted your plugin specifications. Add the parameter values to your code snippet. These values are matched to decode the JSON Web Token and authenticate the requests from the Staffbase server.

Example: In the SDK for NodeJS, you can add the values to the following code snippet.

Custom Plugin Steps
The jwtToken parameter is generated with each request.

Deploy Your Custom Plugin on the Staffbase Platform

Once the web application is developed, you can integrate it into the Staffbase environment. This involves registration and activation of the plugin to the Staffbase platform. Once you have added the authentication, inform Staffbase to initiate the registration process of the plugin in the Staffbase server and activate the custom plugin for your organization and the admin can install it for the organization from the Plugins page in the Staffbase Studio.