Manifest Reference
Complete reference for the extension manifest.json file structure and all available fields.
Overview
The manifest.json file is the heart of your extension. It defines metadata, permissions, and configuration. The minimum required fields are:
{
"name": "my-extension",
"version": "1.0.0",
"publicKey": "a1b2c3d4e5f6..."
}
Required Fields
These fields must be present in every manifest:
nameUnique identifier for your extension (lowercase, alphanumeric, hyphens)
versionSemantic version string (e.g., 1.0.0)
publicKeyEd25519 public key (base64, generated by haex init)
Optional Fields
These fields enhance your extension but are not required:
| Field | Type | Default | Description |
|---|---|---|---|
author | string | null | - | Author name displayed in the marketplace |
description | string | null | - | Human-readable description of your extension |
homepage | string | null | - | URL to your extension's homepage or repository |
entry | string | null | "index.html" | HTML entry point relative to the build output |
icon | string | null | "icon.png" | Path to the extension icon (relative to extension root) |
displayMode | "auto" | "window" | "iframe" | "auto" | How the extension displays in haex-vault |
singleInstance | boolean | null | false | If true, only one instance can run at a time |
migrationsDir | string | null | - | Path (relative to extension root) to a Drizzle-style migrations directory with _journal.json and *.sql files |
i18n | Record<string, { name?: string; description?: string }> | null | - | Locale-specific overrides for name and description (key is locale code, e.g. 'de', 'en') |
signature | string | - | Ed25519 signature (added automatically during signing) |
Display Modes
The displayMode field controls how your extension appears in haex-vault:
autoAutomatically pick the best mode (Tauri WebviewWindow on desktop, iframe on mobile)
windowOpen in a dedicated Tauri WebviewWindow with native window controls
iframeRender as an embedded iframe inside haex-vault
Permissions
Declare all permissions your extension needs in the manifest. Users will review these during installation.
Database Permissions
readWrite
"permissions": {
"database": [
{ "target": "MCowBQYDK2Vw...__other-extension__users", "operation": "read" },
{ "target": "MCowBQYDK2Vw...__other-extension__settings", "operation": "readWrite" }
]
}
Filesystem Permissions
Operations: read
"permissions": {
"filesystem": [
{ "target": "**/*.txt", "operation": "read" },
{ "target": "/exports/**", "operation": "readWrite" }
]
}
HTTP Permissions
URL-pattern only - declare each allowed URL or domain as a target. The HTTP method is parsed from the manifest but not enforced by the runtime check today. Targets use glob patterns:
"permissions": {
"http": [
{ "target": "https://api.example.com/**" },
{ "target": "https://*.github.com/api/*" }
]
}
For detailed permission information, see the Permissions Guide
Complete Example
Here's a complete manifest with all commonly used fields:
{
"name": "password-manager",
"version": "1.0.0",
"author": "John Doe",
"description": "Securely store and manage your passwords",
"homepage": "https://example.com/password-manager",
"entry": "index.html",
"icon": "icon.png",
"displayMode": "window",
"singleInstance": true,
"migrationsDir": "database/migrations",
"publicKey": "MCowBQYDK2VwAyEA...",
"signature": "",
"permissions": {
"database": null,
"filesystem": [
{ "target": "**/*.json", "operation": "readWrite" }
],
"http": [
{ "target": "https://api.haveibeenpwned.com/**" }
],
"shell": null
},
"i18n": {
"de": { "name": "Passwort-Manager", "description": "Passwörter sicher speichern" },
"en": { "name": "Password Manager", "description": "Securely store passwords" }
}
}