System Architecture
Workrock apps are web applications that run inside an Iframe within the Workrock OS host. This architecture ensures security, isolation, and a seamless multitasking experience.
The Big Picture
Section titled “The Big Picture”graph TD User((User)) --> Core[Workrock Core OS] Core --> WindowManager[Window Manager] WindowManager --> AppIframe["App Iframe (Your App)"]
AppIframe -- "WORKROCK_INIT" --> Core Core -- "WORKROCK_CONTEXT (JWT)" --> AppIframe
AppIframe -- "REST + JWT" --> API[Workrock API] API -- "Data" --> AppIframe
Partner[Partner Portal] -- "Credentials" --> API Developer[Developer] -- "workrock dev" --> Tunnel[Local Tunnel] Tunnel -- "Proxy" --> AppIframeCommunication Flow
Section titled “Communication Flow”1. Host Isolation
Section titled “1. Host Isolation”Your application is served from your own infrastructure (or your local machine during development). Workrock Core renders your app’s URL in a sandboxed iframe.
2. The Handshake
Section titled “2. The Handshake”Upon loading, your app sends a WORKROCK_INIT message to the parent window. Workrock Core responds with WORKROCK_CONTEXT, which includes:
- Access Token: A scoped JWT for calling Workrock APIs.
- User Info: The current user’s name, email, and ID.
- Environment: Whether the app is running in a Sandbox or Production.
3. API Access
Section titled “3. API Access”Once your app has a JWT, it can make authenticated requests to the Workrock Python API. The API uses this token to enforce per-user and per-organization data access.
4. Local Development Tunnel
Section titled “4. Local Development Tunnel”When you use workrock dev, a secure tunnel is established. Workrock Core detects that you are in a Sandbox and automatically routes the application window to your local tunnel URL, allowing you to see changes instantly within the Workrock desktop.