Secure Messages - IAB


OpenFin applications on the IAB expose the URL location from which they are loaded as well as the protocol used. This means that one can validate that an application was securely (HTTPS) loaded from a specific domain and thus be sure of its identity. Applications that are running outside of the OpenFin Runtime (native applications) but that are connected to the bus, expose their code signing signatures so that their identity can also be validated.

Application identity on the IAB gives Application Providers the tools, outlined below, needed to validate the applications they are interacting with are indeed who they say they are. The IAB requires applications to subscribe to a specific topic in order to receive any published or sent messages from a provider. Securing the IAB is at the discretion of the developer. The following sections have examples of two IAB methods, publish and send, that can be used by a Provider. There is also additional information on how to obtain subscriber information as a Provider. These use cases will help you choose which method to use based on the level of security you wish to employ.

publish method

The publish method pushes a message to all applications that are subscribed to your topic. Although OpenFin ensures API security and architectural integrity of the IAB pipeline, the Application Provider is responsible for the data that they broadcast over the IAB. This method is a one-to-many connection as it sends a message to all OpenFin applications. It is recommended to only use publish for data that is accessible to all OpenFin applications.


fin.InterApplicationBus.publish('topic', 'hello').then(() => console.log('Published')).catch(err => console.log(err));

send method

The send method sends a message to a specific subscriber. This is a one-to-one connection and requires knowledge of the Client application's UUID. This method is recommended as a more secure way to send data between two individual applications over the IAB.


fin.InterApplicationBus.send(, 'topic', 'Hello there!').then(() => console.log('Message sent')).catch(err => console.log(err));

Subscriber information

As the Application Provider, you have the option to know what application is subscribed to your created topic(s). To see this information:

  1. Create an asynchronous function that will listen for new subscribers and retrieve the UUID and manfestUrl.


fin.InterApplicationBus.on('subscriber-added', async ({uuid, topic, name}) => {
    const { runtime: { version } , manifestUrl } = await fin.Application.wrapSync({ uuid }).getInfo();
    console.log(`The application with uuid: ${uuid}, running on runtime version: ${version}, launched via manifest: ${ manifestUrl} has subscribed to topic: ${ topic }`);
  1. Once this information is obtained, log entity to gather a more detailed log about the subscriber such as UUID, name, and entity type.


The only information obtained from this method is publicly available information. The Application Provider cannot obtain any detailed or private data about the application from this method.

console.log(await fin.System.getEntityInfo('OpenfinPOC', '40c74b5d-ed98-40f7-853f-e3d3c2699175'));
// example info shape
    "uuid": "OpenfinPOC",
    "name": "40c74b5d-ed98-40f7-853f-e3d3c2699175",
    "parent": {
        "uuid": "OpenfinPOC",
        "name": "OpenfinPOC"
    "entityType": "iframe"

Did this page help you?