The Livestax Developer Hub

Building an app for Livestax


Livestax allows you to quickly and easily build secure web views on top of your data held in your IT systems. We call these web views apps.

At a high level, you host one or more applications that serve an HTML page at a URL. This URL is added as an app to Livestax. When your users visit Livestax and add your app, their browser loads your app, alongside others, inside iframes in the user's browser.

This is just the beginning though, because the platform provides:

Adding your app to Livestax

To add an app to an organisation in Livestax, there are a few pieces of information that are required:

When you add an app, we generate a secret key for it. This secret key is needed if you are using the POST loading method and/or the user API

Minimum requirements for an app

The most basic Livestax app would be an HTML page which loads the Livestax JS API.

You'll need to host the HTML somewhere that your users can access it over HTTPS - either on the public internet or within a corporate network.

If you want to use the Livestax authentication and authorisation system, your app has to be loaded by HTTP POST, which will require some server-side code.

Livestax apps are webpages, so you'll need to know some HTML and JavaScript. The server-side code can be written in any language - you are free to choose the one you'll be most productive in.


For security reasons, all apps must be loaded over HTTPS. This includes any assets (images, JavaScript, CSS, webfonts) that your app fetches and any forms that your app includes. This is necessary because web browsers block non-HTTPS assets on HTTP pages - this is called Mixed Content.

To serve your app over HTTPS, the server hosting your app needs an HTTPS certificate. There are many different vendors who can sell you HTTPS certificates (you might have them already), but you might like to look at Let's Encrypt as a zero-cost option.

To enable HTTPS for local development only, one option is using a self-signed root certificate. Please note that this isn't suitable for production environments. Here is a walk-through for a self-signed root certificate using openssl.


Livestax has internal access controls to prevent users accessing data and apps that they shouldn't. To use Livestax's built-in authentication, your app must be loaded using HTTP POST.

When Livestax loads your app via POST, it includes a JSON Web Token (JWT) in the request body. This token is cryptographically signed using a secret that is specific to your app. When your application receives the POST request from the user's browser containing the token, this tells you:

Read more about the signed request here

App loading and authentication flow

Diagram showing the initial app load and authentication flow

Note: this diagram shows the POST loading method. The GET method works similarly, but for security reasons the signed request is not supplied and your app doesn't connect to the Livestax User API.


Livestax supports two ways of loading your app: with an HTTP GET or POST.

The POST loading method is suitable when:

The GET loading method is suitable when:

Additional authentication options

Livestax has a great authentication system built-in to let your app rely on Livestax for user management, authentication and authorisation. The great thing about the flexible architecture is that you are free to use existing authentication systems instead, or to mix and match to get the best of both worlds.

JavaScript API

Our JavaScript API provides essential functionality to integrate your app with Livestax itself and so that it can communicate with other apps in the user's browser, without requiring you to implement any kind of push messaging system. It also includes various API calls for user interaction.

Read more about the JavaScript API here

Theme and component library

Livestax provides a theme to enable you to quickly create consistent apps without needing years of frontend experience.

Read more about the theme here