Skip to main content

TiCore v2 Addons

TiCore v2 ships a drop-in addon ecosystem — 10 installable features pulled separately from the framework core. Each addon registers its own routes, middleware, views, and config, and installs with a single CLI command. Curious how that compares to other micro-frameworks? See how TiCore stacks up.

Installing addons

Browse what’s available below, then install any addon by its slug with the ticore CLI:

bin/ticore addon list            # see installed addons
bin/ticore addon add <slug>       # install one from the public repo
bin/ticore migrate               # run any addon migrations (most addons self-migrate on first boot)

Addon Catalog (10)

Grouped into four families: Commerce, Content, Admin & API, and SEO & Marketing. Every addon lists what it does, its concrete capabilities, any optional .env keys, and its exact install line.

Commerce

Accounts and money — sign users in, then charge them through Stripe and PayPal.

TiCore Auth slug: auth

Full user accounts out of the box: register, login, logout, and an account page, with hardened sessions and roles. It is SQLite-backed and self-contained — it creates its own tables on first boot (no migration step). On registration it also wires up the guest and auth middleware aliases, so you can gate routes the moment it is installed.

Capabilities of TiCore Auth

  • Register / login / logout / account flows (SQLite-backed, self-contained)
  • Hardened sessions (HttpOnly / Secure / SameSite + regeneration)
  • Roles, plus GET/POST /login and /register (named routes)
  • Provides the guest (GuestOnly) and auth (AuthMiddleware) middleware aliases

env: AUTH_DB_PATH (optional)

bin/ticore addon add auth

TiCore Payments slug: payments

Accept money through both Stripe and PayPal behind a single integration — checkout, webhooks, and a success view via a CheckoutController. The Stripe and PayPal clients are dependency-free REST clients (no Stripe or PayPal SDK), and a completed payment fires a GA4 purchase event. Currency and all keys are read from .env.

Capabilities of TiCore Payments

  • Stripe checkout + webhooks
  • PayPal orders
  • Dependency-free REST clients — no Stripe/PayPal SDK
  • GA4 purchase event + configurable currency

env: STRIPE_SECRET_KEY, STRIPE_PUB_KEY, STRIPE_WEBHOOK_SECRET, PAYPAL_CLIENT_ID, PAYPAL_SECRET, PAYPAL_ENV, PAYMENTS_GA4_ID, PAYMENTS_CURRENCY

bin/ticore addon add payments

Content

Publish posts and collect messages from visitors.

TiCore Blog CMS slug: blog-cms

A self-contained SQLite blog with a public listing, single post, and category pages, plus an auth-protected admin for create / edit / delete with safe markdown rendering. Public routes are named (blog.index / blog.show / blog.category); admin writes live under an admin prefix behind auth and csrf, using constrained id routes like /blog/edit/{id:\d+}.

Capabilities of TiCore Blog CMS

  • Public GET /blog, /blog/{slug}, /blog/category/{slug} (named routes)
  • Admin group (prefix "admin") behind auth; writes also csrf-guarded
  • Constrained id routes — /blog/edit/{id:\d+}, /update, /delete
  • Safe markdown rendering, SQLite-backed and self-contained

env: BLOGCMS_DB_PATH (optional)

bin/ticore addon add blog-cms

TiCore Contact Mailer slug: contact-mailer

A ready-made contact form with a honeypot anti-spam field and CSRF protection. It delivers mail through the MailerSend REST API — no third-party form-builder widget — and degrades gracefully: if mail is not yet configured it logs a warning but still shows the visitor a “thanks” page. Ships with contact and thanks views.

Capabilities of TiCore Contact Mailer

  • Honeypot anti-spam + CSRF protection
  • Delivers via the MailerSend REST API
  • Graceful degradation — warns, still thanks the visitor, when unconfigured
  • Ships contact + thanks views

env: MAILERSEND_API_KEY, MAILERSEND_FROM_EMAIL, CONTACT_EMAIL

bin/ticore addon add contact-mailer

Admin & API

A back-office shell and a secured, versioned REST surface.

TiCore Admin Dashboard slug: admin-dashboard

A dark admin dashboard shell that shows the logged-in user, the PHP version, and the list of installed addons, plus a reusable admin layout other admin pages can match. It is a starting point and consistent chrome — it does not itself manage users, content, or payments; each addon surfaces its own screens inside this look. Built from a DashboardController and a dashboard view.

Capabilities of TiCore Admin Dashboard

  • Shows logged-in user + PHP version + installed-addon list
  • Reusable admin layout for other admin pages to match
  • DashboardController + dashboard view
bin/ticore addon add admin-dashboard

TiCore REST API Kit slug: rest-api-kit

A self-contained REST API toolkit. It issues SHA-256 hashed API keys shown once (verified by prefix lookup + hash_equals), and ships an apikey middleware (ApiKeyAuth) doing X-Api-Key header-only auth plus per-IP token-bucket rate limiting (429 + Retry-After; local IPs exempt). It exposes a versioned /api/v2 route group (GET /api/v2/ping, /api/v2/whoami), an admin key manager, and a server-side proxy console so keys never reach the browser. Backed by its own SQLite store.

Capabilities of TiCore REST API Kit

  • Hashed API keys shown once (SHA-256, verified by prefix + hash_equals)
  • apikey middleware: X-Api-Key header only + per-IP token-bucket rate limit (429 + Retry-After, local exempt)
  • Versioned /api/v2 group — GET /api/v2/ping, /api/v2/whoami
  • Admin key manager + server-side proxy console (keys never reach the browser)

env: RESTAPIKIT_DB_PATH, RESTAPIKIT_CONSOLE_KEY (both optional)

bin/ticore addon add rest-api-kit

SEO & Marketing

Get indexed faster, watch performance, feed Google Shopping, and emit clean structured data.

TiCore IndexNow slug: indexnow

IndexNow integration for instant search-engine indexing. It serves the verification key file at GET /indexnow-key.txt and submits your site URLs — including the sitemap — to the IndexNow API. Submission is handled by an auth-gated admin: GET /admin/indexnow with a CSRF-guarded POST /admin/indexnow/submit.

Capabilities of TiCore IndexNow

  • Serves GET /indexnow-key.txt verification key file
  • Auth-gated admin: GET /admin/indexnow, POST /admin/indexnow/submit (csrf)
  • Submits URLs (including the sitemap) to the IndexNow API

env: INDEXNOW_KEY (optional)

bin/ticore addon add indexnow

Google Analytics & Search Console slug: google-analytics-gsc

A read-only SEO dashboard — not a tag installer. It pulls your last-28-day Search Console clicks and impressions (GscClient) and GA4 sessions (Ga4Client) using a Google service account and a hand-rolled RS256 JWT (GoogleAuth, no Google SDK), and includes a setup guide. The GA4 measurement tag itself is part of the framework layout, not this addon.

Capabilities of Google Analytics &amp; Search Console

  • GSC clicks / impressions (last 28 days) via GscClient
  • GA4 sessions via Ga4Client
  • Service-account auth with hand-rolled RS256 JWT (no Google SDK)
  • Includes a setup-guide view

env: GOOGLE_APPLICATION_CREDENTIALS, GA4_PROPERTY_ID, GSC_SITE

bin/ticore addon add google-analytics-gsc

TiCore Google Ecommerce slug: google-ecommerce

A Google Merchant Center product-feed generator: it emits an RSS 2.0 feed with the g: namespace (MerchantFeed) and ships a sample product provider so the feed renders out of the box. A setup guide walks through Merchant Center and Business Profile linkage, and the feed currency is configurable.

Capabilities of TiCore Google Ecommerce

  • Merchant Center product feed (RSS 2.0 with g: namespace) via MerchantFeed
  • Sample product provider so the feed renders out of the box
  • Merchant Center + Business Profile setup guide
  • Configurable currency

env: MERCHANT_CURRENCY

bin/ticore addon add google-ecommerce

TiCore Schema.org Generator slug: schema-generator

A stateless JSON-LD generator: a hosted form that builds an escaped <script type="application/ld+json"> block from the fields you post, and also emits a copy-paste PHP config snippet of the SITE_* constants that the framework’s SchemaBuilder reads. Zero persistence — nothing is stored, written, or logged. Built from a SchemaController and a form view.

Capabilities of TiCore Schema.org Generator

  • Hosted form → escaped <script type="application/ld+json"> block
  • Also emits a copy-paste PHP SITE_* config snippet for SchemaBuilder
  • Completely stateless — nothing stored, written, or logged
  • SchemaController + form view
bin/ticore addon add schema-generator

How Addons Fit Together

Addons live under TiCore/addons/<slug>/, each with an addon.json manifest and a bootstrap class. On registration they plug their routes, middleware, and views into the framework’s router — and several register middleware aliases you can attach to your own routes, such as guest and auth (from the auth addon) and apikey (from the REST API kit). See how those tie into the security model.

Installing is pure bin/ticore: bin/ticore addon add <slug> validates the slug, then fetches the addon from the public repo tuxxin/TiCore (branch HEAD) into TiCore/addons/<slug>/ — downloading addon.json and then each file in its files[] manifest from raw.githubusercontent.com. Because addons are fetched on demand, they are excluded from base release tarballs.

Share: 𝕏 Twitter Facebook LinkedIn
Proton VPN — 10 device connections, audited no-logs
Recommended: Proton Unlimited
VPN, encrypted Drive, encrypted Mail, password manager — one bundle. See the full review →