Runtimes
Web Runtime
Browser and PWA usage with @meshkit/web.
Use @meshkit/web when MeshKit runs in a browser or PWA. The web runtime detects browser capabilities and helps you keep Core behavior consistent with browser storage, IndexedDB, service workers, and WebCrypto constraints.
Do not expose unrestricted Kubo RPC or privileged provider tokens directly to browser clients.
Install
npm install @meshkit/webCreate A Web Client
import { createMeshkitWeb, detectWebCapabilities } from "@meshkit/web";
const capabilities = detectWebCapabilities();
const mesh = await createMeshkitWeb({
identity: "browser-user",
});
console.log({
keyVault: capabilities.keyVault.trustLevel,
persistentStorage: capabilities.storage.persistent,
provider: mesh.providers.current().name,
});Web Capabilities To Check
| Capability | Why it matters |
|---|---|
| WebCrypto | Required for client-side encryption primitives |
| IndexedDB | Useful for local persistence and cached identity records |
| Service worker | Can help caller-managed background sync, but does not guarantee it |
| Blob/File APIs | Important for uploads and downloads |
| Network access | Browser clients should call safe app/provider boundaries, not raw privileged RPC |
Production Patterns
Good browser production patterns:
- Use app-owned Helia when the browser should own an IPFS node.
- Use an application backend as the trusted boundary for Kubo, metadata, policy, and Filecoin credentials.
- Scope any browser-visible token to the minimum operation possible.
- Persist only safe client state in IndexedDB.
- Keep decrypted content out of analytics, logs, and crash reports.
Avoid:
- Direct browser access to unrestricted Kubo RPC.
- Shipping provider admin tokens in client bundles.
- Treating service-worker sync as guaranteed execution.
- Treating browser key storage as equivalent to a native non-exportable key vault.