SAFE Network API - Getting started (draft)

Will those folders and content be visible/accessible to the user?.. the test of which is can they delete them??.. if only for the thought that a buggy app might need that to occur.

[quote=“maidsafe, post:1, topic:726”]
ImmutableData … to avoid data deduplication.[/quote]

Confused as that’s suggested twice - would have expected it to be made to avoid duplication…

[quote=“maidsafe, post:1, topic:726”]
Applications can easily integrate the safe_app library based on the platform the application is being built.[/quote]

Previously there was allusion to some direct rust to rust option… but not obvious what that might be.


1 Like

oops that was a typo. I just fixed it :slight_smile:


Good stuff, concise understandable, really useful to help get going I think.

This reads a bit like revoking the Authenticator, so maybe…

From the Authenticator, the user can revoke permissions for any app at any time.

Looking guard to paying with this :slight_smile: Not happening soon though :frowning2: still working in DIY and trip preparation.

1 Like

Thank you, this is helpful, but I remain a little confused as to how apps will talk to the SafeNetwork.

Some clarification would be much appreciated:

  1. At some point, there was talk of an SDK rather than an API and this involved NodeJS (and I think React framework)? I was concerned as this seemed to be mandating dependencies and a specific framework, but didn’t get deep enough in my understanding to be sure.

  2. It seemed to me from reading that there wouldn’t be a REST API in future, but the docs for this are still easily findable and shows http requests and refers to the launcher. . Is any of this still relevant or not? (I’m pretty sure the launcher is going, right?)

  3. We now have two alternatives, Node.js API and DOM API? Is that correct?
    Is Node.js API able to directly interface between an app and the SafeNetwork without SafeBrowser?

  4. How will native, compiled apps be authenticating and interfacing with SafeNetwork?

Many thanks to anyone with the time to jump in, I’d like to have a bit more clarity before our meetup this evening.

Hi Peter,

I’m not aware of a plan for a React framework at the moment, there is indeed a NodeJs library you can already start using for interacting with the network, which is the one referenced above: (

The plan is to not need a Launcher but just the Authenticator which is already embedded in the SAFE browser, so you shouldn’t count on this REST API.
However, I think that the information that the launcher was able to display is really useful to the user, so I think we can either embed it as part of the Authenticator in the browser, or perhaps update the Launcher to become just a monitoring/statistics tool which can be run separately like any other SAFE app.
On he other hand, if anyone needs a REST API, they can implement it on top of the safe_app_nodejs API.

That’s correct, but the JAVA library is also showing some good progress and soon will be also available.

This is already possible if the app already has the auth URI. After the app requested the Authenticator (which is embedded in the browser) to be authorised, it receives an auth URI which is then used to connect directly to the network. If the auth URI is securely stored by the app, it can keep connecting to the network without the need of the Authenticator, unless the app is revoked by the user, in which case it will it will need to request a new auth URI to the Auhtenticator.

The authorisation & connection flow would be the same as that of a NodeJS/WebApp/JAVA app. Now, a native app can interface with the safe_client_libs using the safe_app FFI interface, or using the lower level interface (safe_core) if it’s a Rust app.

1 Like

@Peter_Robertson, this is a draft of a diagram that will be part of the guide, and it should hopefully help to clarify the flow:


Indeed it does Gabriel, thank you very much.




When I try executing SAFE_Tutorial_Example_3() using the 0.2.1 SAFE browser (mock routing), on Windows 10, the console just reads:

SAFE Example #3: Iterating over MutableData entries

It doesn’t display any of the keys or values. I had a similar problem with example #2 as well.

Hi @am2on, can you please confirm how you are running the examples, i.e. are you uploading it with the web hosting app first and then loading it on the browser? If so, can you please share the code exactly how you are uploading it, i.e. the whole HTML page?

I put the code within index.html, in between <script> tags and added a function call at the bottom so the function would run automatically. I uploaded each example to a separate service via the hosting manager. So, example 3’s index.html file looked like this:

<h1>Example 3</h1>
This example code demonstrates how a web app can connect to the authenticator
to request for authorisation and receive the auth URI, use the auth URI to then
connect to the SAFE Network, after connected, it creates a MutableData, and
finally it iterates over the entries, key and values of the created MutableData.
function SAFE_Tutorial_Example_3() {
  console.log('SAFE Example #3: Iterating over MutableData entries');

  let appInfo = {
    name: 'Example safe-app web page #3',
    id: 'net.maidsafe.tutorial.webapp.example3',
    version: '0.1.0',
    vendor: 'MaidSafe Ltd.',

  let access = {
    '_public': ['Read', 'Insert', 'Delete', 'ManagePermissions']

  const typeTag = 15000;
  const MUTABLE_DATA_ENTRIES = { key1: 'value1', key2: 'value2' };

    .then((appToken) => window.safeApp.authorise(appToken, access)
      .then((authURI) => window.safeApp.connectAuthorised(appToken, authURI))
      .then(_ => window.safeMutableData.newRandomPublic(appToken, typeTag))
      .then((mdata) => window.safeMutableData.quickSetup(mdata, MUTABLE_DATA_ENTRIES)
        .then(_ => window.safeMutableData.getKeys(mdata)
          .then((keys) => window.safeMutableDataKeys.forEach(keys,
            (key) => console.log("Key:", key.toString()))
          .then(() => {
            console.log("Keys iteration finished");

            // Make sure that MutableData Keys instance is freed from memory.
            console.log("MutableData Keys instance freed.");
        .then(_ => window.safeMutableData.getValues(mdata)
          .then((values) => window.safeMutableDataValues.forEach(values,
            (value) => console.log("Value:", value.buf.toString()))
          .then(() => {
            console.log("Values iteration finished")

            // Make sure that MutableData Values instance is freed from memory.
            console.log("MutableData Values instance freed.");
        .then(_ => window.safeMutableData.getEntries(mdata)
          .then((entries) => window.safeMutableDataEntries.forEach(entries,
            (key, value) => console.log("Entry: (", key.toString(), ",", value.buf.toString(), ")"))
          .then(() => {
            console.log("Entries iteration finished");

            // Make sure that MutableData Entries instance is freed from memory.
            console.log("MutableData Entries instance freed.");
        .then(_ => {
          // Make sure that SAFEApp instance is freed from memory.
          console.log("SAFEApp instance freed.");

          // Make sure that MutableData instance is freed from memory.
          console.log("MutableData instance freed.");
    .catch((err) => {
       console.error("Error from webapp: ", err);


However, I tried it again just now after seeing the response, and now it works! I made no changes to the code or environment, so I’m not sure what went wrong yesterday.


Thanks for the details, I just asked because people tend to open it from a file:// location which is not possible at the moment, the DOM API is only made available when loading it from a safe:// location.

Great! if it happens to you again please don’t hesitate to report it.

1 Like

@bochaco Gabriel, I though inline scripting (and styles) was blocked by the browser Content Security Policy. Is that no longer needed?

Great work on these example, they help a lot get started.

Here’s my test site with all 3 examples if anyone needs them: safe://test.davidmtl/index.html

1 Like

Hi @happybeing, isn’t CSP applicable when the script is loaded from a different domain? I haven’t tried these type of things myself yet.

I think the problem is that if you allow inline scripting (or inline CSS) a script can’t be prevented from loading from another domain, so in order to implement a same origin policy, CSP rules normally block inline scripts & CSS. I suspect we don’t have any CSP rules being imposed by the browser at present, but have not checked that.

When testing websites with the early SAFE Beaker Browser inline scripts & CSS were disabled for same origin security, but I think this was imposed by the web proxy which has since been removed, so that may be why it is no longer active.

What I’m not sure about is whether it is still needed or not. So that’s really my question - have we left a security hole open, or is this no longer a risk?

I suspect it is a risk, but that it is (like the current Web) up to the website to provide appropriate CSP headers. However, my understanding is that the main browsers are taking on that responsibility by gradually imposing ever stricter CSP rules because so few websites are set up adequately in this regard. In which case we should probably have SAFE Browser do the same.

So my hunch is that we will need to close this loophole or we risk leaving users open to using websites and apps that are at risk from attacks such as XSS (eg inserting HTML into comments, forum posts etc).


Hi @bochaco, I started using an Ubuntu 17.04 VM for dev purposes, and got the same problem for the mock browser for Example 3.

The JS Console still gives no errors, nothing at all except for the first log message at the beginning, but this time i ran the browser executable from a terminal, and I saw this in the terminal after I authorized the example 3 app:

Mutation not authorised
thread 'App Event Loop' panicked at 'assertion failed: vault.authorise_mutation(dst, self.full_id.public_id().signing_public_key())', /home/travis/build/krishnaIndia/safe_core/safe_core/src/client/mock/
note: Run with `RUST_BACKTRACE=1` for a backtrace.
thread 'App Event Loop' panicked at '

!   unwrap! called on Result::Err                                              !
/home/travis/build/krishnaIndia/safe_core/safe_core/src/client/mock/,20 in safe_core::client::mock::routing

    "PoisonError { inner: .. }"

', /home/travis/.cargo/registry/src/

I also discovered this error only occurs the first time the app asks for authorization. If I restart the browser and open the page without revoking authorization, the MD example starts working as intended, and there is no error in the terminal!

But if I revoke the app’s permissions before restarting the browser, and accept the permissions again, the problem happens again.

On my Win10 machine, where I originally encountered the problem, it works all the time now – even after revoking and reauthorizing. I was trying to run the mock browser & example from CMD, to see if the underlying error message was similar, but I can’t reproduce on this system anymore. I’m not sure why.

Also, when I tested it (on the Ubuntu VM and the Windows host), I’m running the JS from a separate file, so it’s not inline js anymore. I used exactly the same JS & index.html for both systems.

Hope this info is useful! :slight_smile:

1 Like

Hi @am2on, let me ask this first, are you building the browser yourself, and if so, note that we merged everything to the master branch last week, so are you building the master branch?

Also, if you are following the tutorial from this post, note that it’s a bit outdated now.

I was using the prebuilt browser binary on the release page (v0.2.1). I can try building the browser myself with the latest changes, and see if that improves things. Are there any up-to-date guides for building it with mock-routing? If not, what should I do differently from that post to get it to work? Thanks!

I am interested in binaries that would allow me to develop/test web apps on a non-connected laptop. My style of coding is very iterative and loading new files into the actual network every time I do a small edit is extremely painful.

I understand there is a mock-vault binary. Is this all that is needed, or is there a special mock version of the breaker browser needed as well? If I use the mock-vault, can I just copy the app files to a directory, or do I still need to “upload” them into the mock-vault (which would still present something of a bottleneck to iterative development)?

Ideally, I want to edit my javascript, click something (double clicking on a batch file would be OK), wait only a second or two, and be able to test the edits.


Hi @pdx, @am2on, currently the browser is set to build with network libraries only, we will be updating the documentation soon for those who want to build for the mock as there is a minor issue in the browser build for mock we first need to solve ( As you can imagine this is having a lower priority than the other functional issues we are working on, so please be a bit patient that we’ll get there soon.
There is also an ongoing effort to provide tools for development, so you can work with the mock using the browser and loading locally stored webapps, trust me, I’m also as anxious as you to have them ready as hey’ll help us all to speed up in developing safe apps.