Creating a plugin
Plugins enable Cortex users to pull data into their Cortex instance from any source, expose custom metrics, and customize the UI to match other internal tools. A plugin is an application that is embedded in Cortex. It uses a plugin proxy to send requests from the plugin to a third party.
You can use the Scaffolder in a Workflow to quickly spin up a Cortex plugin repository. The plugin code repository includes:
React + TypeScript
Testing via
testing-library
Compilation to a single HTML file via webpack
The Cortex React plugin package (
@cortexapps/react-plugin-ui
) pre-installed, which provides access to context, proxy usage, CSS variables for theme-based styling, and UI components.Cortex offers a cookiecutter template with examples using
react-plugin-ui
.
The Cortex Plugin core package (@cortexapps/plugin-core).
If you created your plugin before April 2025 and your plugin is using components from plugin-core/components
, we have updated these components to utilize react-plugin-ui
. Please upgrade plugin-core to 3.0.0-beta.4 or later to migrate these components to the new design.
How to create a Cortex plugin
Prerequisites
Users with the Edit plugins
permission can create a plugin.
Step 1: Register the plugin
In Cortex, navigate to Plugins.
In the upper right corner, click Register plugin.
Configure the plugin:
Plugin name: Enter a display name for the plugin.
Identifier: Enter a unique identifier for the plugin.
Description: Enter a description of the plugin to help others understand its purpose.
Display icon: Select an icon that will be used when displaying this plugin across Cortex.
Minimum user role: Select the minimum user role required to be able to see this plugin. You can choose default or custom roles.
Note that you will not be able to delete a custom role if it is associated with a plugin.
Associated proxy: If you have configured a proxy, select the proxy to use for proxy fetches from this plugin.
Context: Select the context for your proxy:
Global: Select this option if you want to configure the plugin to appear in your main nav or as a tab on the dev homepage.
Specific entity types: Select this option if you want to plugin to display in the sidebar of entity pages.
Both options: Select this option to have the ability to display the plugin in the main nav, on the dev homepage, and on entity pages.
In the next step, you will choose how to create the plugin.
Step 2: Create the plugin
While registering your plugin, in the "Code" section of the page, you can choose whether to create a plugin repo from a template or create it from scratch.

Under "Create plugin," click one of the options:
Duplicate repo with template: Choose this option to create a plugin repo from a template.
A side panel will open in Cortex, where you can configure the plugin name, license, and other details depending on which Git provider you use.
You can also choose whether you create a corresponding Cortex entity.
When you are finished configuring the plugin, at the bottom of the side panel click Save.
Download template.zip: Choose this option to create a plugin from scratch.
A zip file will download onto your computer. You can then manually configure your repository.
In the next step, you will generate the HTML file for your plugin.
Step 3: Clone the repository locally and install dependencies
After you create a plugin from a template in Cortex, a link is displayed to see your created repository.
Navigate to your newly-created plugin repository.
If you created the plugin from a template, a link is displayed to see your created repository. Click View created repository.
Clone the repository locally.
Install dependencies via
yarn
.You can also use
npm
commands if preferred.
Run
yarn build
to generate a single HTML file representing your plugin (output at./dist/ui.html
).If you want to make any changes to the plugin, modify the code before running or re-running the
build
command.
Navigate back to your plugin configuration page in Cortex.
Step 4: Upload and preview plugin in Cortex
On the plugin configuration page, under "Upload and preview plugin," upload an HTML file you generated from running
yarn build
in the previous steps.Dev mode: Toggle on to enable dev mode. When in dev mode, the preview for your HTML file uses code running at http://localhost:9000/ui.html. To run your plugin code from this location, use
yarn dev
ornpm run dev
from your plugin.In the preview, iterate on any changes you might want to make to the plugin.
Click Save plugin.
Create a plugin proxy
To access authenticated external APIs, you can configure a plugin proxy to add request headers to requests matching a URL prefix. See Creating a plugin proxy for more information.
Editing the plugin code
Users with the Edit plugins
permission can edit plugins.
Enable dev mode
Optionally, you can preview your changes before implementing them:
While viewing the plugins list in Cortex, locate the plugin you want to share.
In the row containing the plugin, click the 3 dots icon, then click Edit plugin.
Next to the "Code" section, enable the toggle next to Dev mode.
The preview will use code running at http://localhost:9000.
From your scaffolded plugin in command line, run
yarn dev
.View the preview on the Plugin editor page in Cortex.
Edit and update the plugin
In your text editor, open the cloned repo for your plugin.
After making changes and saving, run
yarn build
.Optionally, run
yarn dev
to preview your changes in Cortex.In the "Plugin code" section of the plugin editing page in Cortex, click Edit next to the file name. Select your newly-updated file.
At the bottom of the page, click Save plugin.
Share the plugin
While viewing the plugins list in Cortex, locate the plugin you want to share.
In the row containing the plugin, click the 3 dots icon.
Click Share.
A link is copied to your clipboard. You can share it with anyone who has access to view plugins in your Cortex workspace.
Building plugins
As of April 2025, all new plugins use the @cortexapps/react-plugin-ui
package. This package enables Cortex plugin developers to create plugins that share the look and feel of Cortex in an iframe.
Cortex offers a cookiecutter template with examples using react-plugin-ui
.
Prior to April 2025, plugins used the @cortexapps/plugin-core
package. For existing plugins using plugin-core
, ensure that you have upgraded to version 3.0.0-beta.4 or above to switch your components to the new design.
Adding theme-based styling
The react-plugin-ui
package includes CSS variables for theme-based styling. These styles will adjust to match the brand color you have configured and will reflect your light or dark mode settings for your Cortex workspace. The styles are injected via an iframe postMessage
request, which is initiated by the Cortex CortexApi.pluginInit()
call.
If your plugin needs additional styling beyond what is available in react-plugin-ui
, you can also use the Cortex CSS API. See documentation for these variables in the plugin template repository.
Accessing contextual Cortex information from your plugin
The easiest way to access the plugin context is via the usePluginContext()
hook.
import from "@cortexapps/plugin-core/components";
import type React from "react";
const MyComponent = React.FC => () => {
const context = usePluginContext();
return (
Plugin context
);
};
export default MyComponent;
If you need to access the plugin context outside of a React component, you can use the CortexApi
class directly. The CortexAPI class exposed from @cortexapps/plugin-core
provides a method for accessing the context your plugin is running in, getContext()
.
import from "@cortexapps/plugin-core";
import types from "@cortexapps/plugin-core";
// fetch information about the currently-signed-in Cortex user
const getCurrentCortexUser = async (): Promise => ;
// if the plugin is running inside of a catalog entity details page, fetch information about that entity
const getCurrentCortexEntity = async (): Promise => ;
Accessing Cortex APIs from your plugin
You can access Cortex APIs using @cortexapps/plugin-core
’s CortexAPI
.
See the Cortex API docs for available API calls.
import from "@cortexapps/plugin-core";
// fetch deploys for the current entity if the plugin is running on a domain, resource, or service details page
const fetchDeploysForCurrentEntity = async () => {
const context = await CortexApi.getContext();
if (!context?.entity)
const = context.entity;
const response = await CortexApi.proxyFetch(`https://api.getcortexapp.com/api/v1/catalog/$/deploys`);
return response.json();
};
Accessing external APIs from your plugin
It is also possible to access non-Cortex APIs from your plugin. Because plugins are run in an iframe, typical fetch
requests often get blocked by the browser's enforcement of CORS. However, when using the Cortex-provided template, the browser fetch is shimmed to call CortexApi.proxyFetch
, a method for using Cortex as a proxy to make the request. For this reason, you should be able to use fetch()
as you typically would in a web application.
If your browser fetch is not getting shimmed properly, make sure that your @cortexapps/plugin-core
is up to date and you're using wrapping your app with <PluginProvider>
. See the cookiecutter template for an example.
Request signing
We add the following headers to each request made by Cortex. Use these headers to verify that the request is valid and originated from Cortex:
x-cortex-timestamp
This header uses the current timestamp in millis, and is used to prevent replay attacks. Cortex will sign the requests using the format
<timestamp>.<body>
.
x-cortex-timestamp-only-signature-256
This header calculates the SHA256 signature using only the timestamp. Use this header in environments where the HTTP request body is unavailable due to platform limitations.
x-cortex-signature-256
This header uses the SHA256 algorithm. For security best practices, we recommend using this header rather than
x-cortex-signature
.
x-cortex-signature
This header uses the SHA1 algorithm and exists for backward compatibility. SHA1 is considered unsafe and this signature should be considered deprecated.
To calculate the signature (an RFC2104 HMAC):
Create a string with the value
"$timestamp.$requestBody"
if the request body is non-null OR"$timestamp
" if the request body is null.Calculate an HMAC using the SHA256 algorithm. Use the Secret you provided to Cortex as the key and the string from Step 1 as the payload.
Verify that the x-cortex-signature-256 matches the HMAC calculated in Step 2.
Using Cortex UI components
Cortex UI components are available for import from @cortexapps/react-plugin-ui
.
Last updated
Was this helpful?