Permissions
Request the least your module needs. Each permission is enforced by the host on every call — declaring it in the manifest is necessary but not sufficient; the host re-checks at call time, so a tampered frontend can't grant a module anything its manifest didn't declare.
| Permission | Lets the module... |
|---|---|
data:nowPlaying | read the current track / playback state |
data:controllers | read connected controller input |
data:metrics | read live FPS / system metrics |
data:session | read game-session events |
ui:notify | raise host notifications / toasts |
action:playback | control playback (play / pause / next / previous) |
net:fetch | host-proxied HTTP, limited to allowedDomains |
Storage is always available — namespaced to your module, so other modules can't read it. It needs no permission.
net:fetch and allowedDomains
net:fetch is the only permission that requires an extra field: a non-empty allowedDomains list of bare
hosts. Raw browser fetch is blocked by the module's CSP, so all network traffic goes through
ps.host.fetch, which only reaches those hosts. See the
networking section of the SDK reference and the
security model for the full set of guards.
{
"permissions": ["net:fetch"],
"allowedDomains": ["api.open-meteo.com"]
}