Skip to content
CairnCMS logo: a stack of stones forming a cairn CairnCMS

Server extensions

Server extensions extend the API. They are written in JavaScript or TypeScript and run in the API’s Node process. There are three types: hook, endpoint, and operation. An operation is hybrid, with a server side that runs there and an app side that renders its configuration form in the flow editor.

A server extension runs in one of two runtimes. The runtime is a per-extension choice, declared in the manifest.

Full authority

Section titled “Full authority”

By default, a server extension runs with full authority. It loads in the API process with full access to services, the database, and the environment, the same reach the platform’s own code has. This is the default when the manifest declares no runtime.

Full authority is the home for what the sandbox cannot host: native modules, raw service or database access, schema changes, and the init, schedule, and embed hook lifecycle. A full-authority extension is unconfined, so the operator is responsible for the decision to run it, as well as the implications.

Sandboxed

Section titled “Sandboxed”

A server extension opts into the sandbox by declaring runtime: confined-server. The code then runs in a confined child process with no host imports and no raw Node. Every privileged effect goes through a brokered host.* call that the platform gates against the capabilities the extension declares, so the operator can see and bound what the extension can reach before it runs.

Endpoint handlers and operation server handlers run confined. An operation’s app-side configuration form still runs in the browser, as it does for any operation. Confined hooks support filter and action events, while the init, schedule, and embed lifecycles stay full-authority, with no confined equivalent.

The Sandbox page is the full reference: the host API, the capability vocabulary, and the diagnostics.

Which to choose

Section titled “Which to choose”

Prefer the sandbox for new server extensions when the brokered host API covers what they need. It bounds what the code can reach, makes that reach reviewable in the manifest, and keeps a faulty or compromised extension from holding the whole API process.

Reach for full authority when the sandbox cannot host the work: a native module, a raw service, a schema mutation, or a hook lifecycle the broker does not expose. Choosing full authority is choosing to run unconfined code, so weigh it as that.

The types

Section titled “The types”
  • Hook reacts to or modifies platform events. Full-authority hooks register five functions: filter, action, init, schedule, and embed. Confined hooks support filters and actions.
  • Endpoint is a custom HTTP route mounted alongside the built-in API.
  • Operation is a custom flow operation, with a server side that runs the logic and an app side that configures it.

Where to go next

Section titled “Where to go next”
  • Sandbox is the confined runtime reference.
  • Internal services is the full-authority services reference.
  • The type pages above cover each server type’s API, both full-authority and confined.
  • Creating extensions covers the toolchain: scaffold, build, install, hot reload, debug, publish.