Application Capabilities and Limitations

The Flowlu marketplace allows developers to extend the platform’s functionality while enforcing clear boundaries to maintain system stability and security. This section outlines what marketplace applications can do and which actions are restricted.

Extending the user interface

Applications can add their own UI elements using supported integration points. This includes buttons, tabs, widgets, and custom pages.

Applications cannot modify or override existing interface elements or core platform behavior outside of approved integration points. For example, an application cannot remove standard menu items or interfere with other modules. It can only add its own components in allowed locations.

Access to data and actions

Applications can use Flowlu’s public APIs to read or modify data, such as creating records or retrieving lists, but only within the permissions declared in the manifest.

All requested permissions must be approved by an administrator during installation. API requests outside the approved permission scope are blocked automatically. This enforces the principle of least privilege.

For a complete list of available endpoints and permission scopes, refer to the Flowlu API documentation.

Isolation and security

Applications run in an isolated, sandboxed environment. Embedded frontend applications are loaded in an isolated environment that prevents direct access to Flowlu’s internal code or data.

Applications cannot execute scripts in the Flowlu page context or access internal platform services. All interaction with Flowlu must go through documented APIs and SDKs.

Interaction with external services

Applications may communicate with external services, such as their own backend or webhook endpoints, using secure HTTPS connections.

Applications cannot connect directly to Flowlu’s internal services or bypass the public API. All integrations must use the interfaces described in the documentation.

Data storage and secrets

Applications can store configuration data using the mechanisms provided by Flowlu. Sensitive data, such as API keys and tokens, is stored securely using platform-provided mechanisms and is not exposed through the user interface.

Applications must not store secrets in plain text. Any application-specific data that is not managed by Flowlu should be stored on the developer’s own infrastructure.

Performance limits and quotas

Flowlu enforces usage limits to protect the platform from excessive load. These limits may apply to API request rates, storage usage, or other resources.

Applications that exceed these limits may be throttled or temporarily blocked. Developers are expected to design applications efficiently and avoid unnecessary requests.

Installation and access control

Only administrators, or users with appropriate permissions, can install or remove applications. After installation, administrators control which users or roles can access the application.

Applications cannot change their own permissions, visibility, or access rules.

Billing and payments

Applications must not interact with or modify Flowlu’s internal billing or payment systems. Any billing or payment logic must be handled externally.

These limitations ensure that applications extend Flowlu without affecting platform stability or security. Developers must follow the SDK documentation and platform requirements to ensure their applications work correctly.