Skip to main content

Installing extensions

Once the extension is created by an extension developer, your users will have to enable that extension for their account. It would not make sense to grant every extension access to every one of your customer accounts. So there should be an explicit step that your users will go through to install or enable the extension.

At this point the extension has been created and configured in your platform. Depending on the exact flow for your users, now is the time to enable their ability to install that extension.

  1. Your users will use your marketplace to find and add the extension to their account.
  2. Upon enabling the extension in their account, grant access to their account to the Platform Extension via a new access record. (see details on managing access records). It is a good idea to provide a confirmation flow for the user so that they know exactly what access they are granting to this Extension.
Grant permissions to extension developer
import { AuthressClient } from '@authress/sdk';
const authressClient = new AuthressClient({ authressApiUrl: '' });

async function installExtension(customerTenantId, userId, extensionId) {
// Check to make sure this user can install extensions in their account
// * This check is an example, what you do here is decided based
// * on your platform permissions
await authressClient.userPermissions.authorizeUser(userId,

// Store that this extension has been activated for the account
await internalEnableExtensionForAccount(customerTenantId, extensionId);

const newRecord = {
// Use a predictable recordId that can be use to update the record later
recordId: `rec_extensions:${customerTenantId}:${extensionId}`,
users: [{ userId: userId }],
statements: [{
roles: ['ExtensionRole'],
resources: [{
resourceUri: `accounts/${customerTenantId}`,
/* List out additional resources here relevant for the extension */
await authressClient.accessRecords.createRecord(newRecord);

You'll notice here the use of ExtensionRole. Your platform has persons that should be catalogued as Roles. When granting access to the customer accounts use your already created roles. Or if you have a very large number of resources, you can let your extension developers dynamically create roles as part of extension creation.

Additionally, above we set the recordId to be ExtensionAccess:${customerTenantId}:${extensionId}. This is so that upon changing the extension's permissions or removing the permissions later, we know exactly where this record is, and can directly delete it or add additional resources. Progressive permissions access is common, in other words, start with giving the extension access to a limited number of resources, and later the account owner might update the extension's permissions to include additional ones.

  1. The users from that customer will now be able to log into that third party extension and that extension can use the logged in user and the access granted during installation to interact with the customer data.