Downcity
Plugins

Plugin HTTP Injection

Understand what plugin.http.runtime does, how auth policies work, and when runtime HTTP injection is the right tool

Plugin HTTP Injection

A plugin can declare:

http: {
  runtime: {
    authPolicies: [...],
    register({ app, getContext, pluginName }) {
      // register routes
    },
  },
}

What problem this solves

It lets a plugin declare:

  • which runtime HTTP routes it owns
  • which auth policies those routes require

and leaves server assembly to the runtime layer.

authPolicies

This describes:

  • how the plugin-owned route group should be protected

The key idea is:

  • the plugin declares its own security needs
  • runtime and console consume that declaration

register

This is where the plugin adds its routes to the runtime Hono app.

The plugin does not need to start a server. It only contributes route registration.

Best current example

The workboard plugin currently injects:

  • GET /api/workboard/snapshot

That is the clearest runtime HTTP plugin example in the current codebase.

When plugin HTTP is a good fit

Use it when:

  • you want a dedicated runtime HTTP endpoint
  • the endpoint belongs to one plugin capability surface
  • you want auth, availability, and control-plane identity to stay aligned with that plugin

When it is not the right fit

If you only need:

  • normal session execution
  • standard SDK session routes

then the built-in session HTTP layer should remain your first choice instead of building a parallel plugin HTTP interface.

Plugin Availability

Understand the difference between enabled and available, and the gap between static catalog state and runtime usability

Custom Plugin

Build a custom plugin with config, actions, hooks, system text, availability checks, and optional runtime HTTP routes

Table of Contents

Plugin HTTP InjectionWhat problem this solvesauthPoliciesregisterBest current exampleWhen plugin HTTP is a good fitWhen it is not the right fitRelated docs