Permissions¶

Squared apps run in a sandbox. Sensitive APIs require explicit permissions declared in manifest.json.

Available Permissions¶

Permission	API Granted	Description
`network`	`Network`	HTTP requests via NetworkClient
`secure-storage`	`SecureStorage`	Encrypted key-value storage via SecureStorage

Always Available (No Permission Needed)¶

API	Description
`Storage`	Key-value persistence
`App`	App metadata and lifecycle

Declaring Permissions¶

Add a permissions array to your manifest.json:

{
    "id": "com.example.myapp",
    "name": "My App",
    "version": "1.0.0",
    "permissions": ["network", "secure-storage"]
}

How It Works¶

When the AppRunner launches an app:

It reads manifest.json and checks the permissions array
Storage and App are always injected into the app's context
Network is only injected if "network" is in permissions
SecureStorage is only injected if "secure-storage" is in permissions

If your code references an API that wasn't granted, the context property will be undefined:

// Without "network" permission, this will fail:
Network.get("/data")  // TypeError: Cannot read property 'get' of undefined

Checking Permissions at Runtime¶

You can guard against missing permissions:

SButton {
    text: "Fetch Data"
    visible: typeof Network !== "undefined"
    onClicked: Network.get("/data").then(handleResult)
}

SEmptyState {
    visible: typeof Network === "undefined"
    title: "Network not available"
    description: "This feature requires network permission"
}

Store Display¶

The store page shows permission badges on apps that require sensitive APIs, so users know what an app needs before installing.

Best Practices¶

Request only what you need. Don't declare network if your app works offline.
Degrade gracefully. If a permission might not be granted in the future, check before using the API.
Document why. Use your app's description to explain why permissions are needed (e.g., "Fetches live weather data").