Security and limits

Mini apps run inside Bigmind and should be treated like workspace software. Build them with the same care you use for internal CRM, revenue, and enablement workflows.

Security model

Mini apps run in a controlled embedded environment. They should use the context and APIs Bigmind provides instead of assuming direct access to the surrounding page, browser tabs, or private workspace data.

Iframe sandbox

  • Isolated execution: Mini app code runs separately from the parent application.
  • Restricted browser access: Mini apps should not depend on unrestricted browser APIs or parent-window access.
  • No top-level navigation: Mini apps should stay inside their assigned surface.

Access control

  • Workspace isolation: Mini apps belong to the workspace where they were created.
  • User permissions: Record access and actions should align with the current user's permissions.
  • Status checks: Users interact with active, published mini apps in configured surfaces.

Code and data handling

  • Keep secrets out of client code: Use server-side tools for private tokens and backend systems.
  • Use Bigmind SDKs and tools: Prefer approved APIs over direct calls to CRM or internal systems.
  • Handle errors clearly: Show a helpful state instead of leaving a blank panel.

Publishing safely

Use draft, preview, and test flows before publishing changes. Published mini apps can appear to users in configured surfaces, so review UI behavior, loading states, and failure states before making a mini app active.

Practical limits

  • Surface size: Keep Sidekick mini apps compact enough for a side panel.
  • Runtime work: Avoid long-running operations in the UI. Use tools or workflows for heavy work.
  • Client-side state: Do not rely on durable server-side state inside the mini app itself.
  • Code size: Keep the app lightweight so it loads quickly.
  • External dependencies: Prefer available runtime packages and avoid unnecessary third-party scripts.

Best practices

  • Purpose-built: Create mini apps for specific, well-defined use cases.
  • Performance: Keep rendering and data loading fast.
  • Testing: Test mini apps with realistic props before publishing.
  • Documentation: Add comments for non-obvious logic in the code.
  • User feedback: Watch how users interact with mini apps and iterate.

Troubleshooting

Mini app not loading:

  • Check that the mini app is active and published.
  • Verify you have access to the workspace that owns the mini app.
  • Look for TypeScript or React errors in the editor console.
  • Republish after fixing compile or runtime issues.

Mini app not receiving context:

  • Use the test panel to simulate props with simple hardcoded data.
  • Confirm the mini app is being opened from a supported record, website, or surface.
  • Check the Embed SDK reference for expected props.

Mini app not appearing in Sidekick:

  • Verify rules are configured in Settings > AI > Mini Apps > Rules.
  • Check that the mini app is published, not only saved as a draft.
  • Ensure you are viewing a supported CRM record or website.
  • Refresh the Sidekick panel.