🔌

FlowState Bridge

Bring Your Own Plugins to the Browser

Your VST3, AU & CLAP plugins — inside FlowState

⚡ <50ms Latency

🔒 Secure Local Bridge

🎚️ Full Parameter Control

💾 Preset Management

🎹

Your Entire Library

Use Serum, Omnisphere, Kontakt, FabFilter, Waves — every plugin you've invested in works with FlowState.

☁️

Browser + Desktop Power

Keep the speed and accessibility of browser-based production while tapping into professional desktop plugins.

🔄

Seamless Integration

Insert plugins on any track, automate parameters, save presets — it all works just like built-in effects.

How It Works

FlowState Bridge is a lightweight native app that connects your local plugins to the browser-based DAW.

┌─────────────────────────────────────────────────────────────────────────────┐ │ YOUR COMPUTER │ │ │ │ ┌───────────────────────┐ ┌────────────────────────────┐ │ │ │ BROWSER │ WebSocket │ FLOWSTATE BRIDGE │ │ │ │ │ localhost │ │ │ │ │ ┌─────────────────┐ │◄──────────────►│ ┌────────────────────┐ │ │ │ │ │ FlowState DAW │ │ │ │ Plugin Manager │ │ │ │ │ │ │ │ Commands: │ │ • Scan plugins │ │ │ │ │ │ • Web Audio │ │ loadPlugin │ │ • Load/unload │ │ │ │ │ │ • AudioWorklet │ │ setParam │ │ • Save presets │ │ │ │ │ │ • UI Controls │ │ process │ └────────────────────┘ │ │ │ │ │ │ │ │ │ │ │ │ └─────────────────┘ │ Audio: │ ┌────────────────────┐ │ │ │ │ │ Float32 │ │ Audio Engine │ │ │ │ │ │ buffers │ │ • Plugin hosting │ │ │ │ │ │ │ │ • DSP processing │ │ │ │ └───────────────────────┘ │ │ • Latency comp │ │ │ │ │ └────────────────────┘ │ │ │ │ │ │ │ │ ┌────────────────────┐ │ │ │ │ │ YOUR PLUGINS │ │ │ │ │ │ ┌────┐ ┌────┐ │ │ │ │ │ │ │Seru│ │Omni│ │ │ │ │ │ │ │m │ │sph.│ ... │ │ │ │ │ │ └────┘ └────┘ │ │ │ │ │ └────────────────────┘ │ │ │ └────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────────────────┘

App Framework

Lightweight native shell

Tauri 2.0 (Rust)

Communication

Real-time bidirectional

WebSocket on localhost

Audio Transport

Uncompressed low-latency

Float32 binary buffers

Supported Plugin Formats

Launch Format

🎛️

VST3

The industry standard for plugin instruments and effects.

~87% market share 10,000+ plugins available Free SDK from Steinberg

macOS

🍎

Audio Units

Apple's native plugin format for macOS and iOS.

~22% global usage Required for Logic Pro Apple CoreAudio integration

Future

🔓

CLAP

Modern open-source format with advanced features.

MIT License (free) ~400 plugins and growing Superior performance

Development Plan

Research & Architecture

Current Phase

Validating technical approach, evaluating frameworks, and designing security model.

WebSocket protocol design Latency benchmarks Security audit Framework selection

Proof of Concept

Upcoming

Build minimal working bridge with single plugin support. Validate latency targets.

Tauri app scaffold VST3 hosting Audio round-trip Latency measurement

Core Features

Upcoming

Full plugin scanning, parameter control, preset management, and multiple instances.

Plugin scanner Parameter enumeration Preset save/load Multi-instance AU support

FlowState Integration

Upcoming

Seamless integration into FlowState UI with plugin browser, track inserts, and automation.

Plugin browser UI Track insert slots Parameter automation Preset sync

Polish & Release

Upcoming

Security hardening, performance optimization, documentation, and public release.

Security audit Performance tuning Auto-update Documentation Beta testing

Security Architecture

We take security seriously. Here's our comprehensive threat model and how we address each risk.

What Bridge Does NOT Change

Malicious VSTs are already a risk — If someone has a compromised plugin on their system, it can do damage when loaded in any DAW (Ableton, FL Studio, Logic, Pro Tools). The Bridge doesn't make this worse because:

Bridge runs with user-level privileges (same as any DAW)
It only loads plugins already installed on your machine
It does not download, install, or auto-update plugins
Audio processing happens entirely locally — nothing goes to the cloud

What Bridge Does Expose

The Bridge creates a new network attack surface that we must secure:

Localhost WebSocket server — A port that accepts connections
Plugin loading from browser — FlowState can tell Bridge which plugin to load
Audio data transport — Uncompressed audio flows between browser and Bridge

Threat Model & Mitigations

Threat	Risk Level	Mitigation
Malicious website connects to Bridge Evil site tries to load plugins or steal audio	High	Origin verification — Only flowstatedaw.com domains can connect. Checked on every WebSocket handshake.
Session hijacking Attacker intercepts browser-to-Bridge communication	Medium	Token authentication — One-time cryptographic token generated per session. Tokens expire after use.
Plugin crash exploits Bridge Malicious plugin tries to escape sandbox	Medium	Process isolation — Each plugin runs in a separate process. Crashes are contained and don't affect Bridge core.
Remote network access Attacker on same network tries to connect	High	Localhost binding — Bridge binds to 127.0.0.1 only. Connections from other IPs are rejected at the OS level.
Man-in-the-middle on localhost Rare: malware intercepts local traffic	Low	Optional TLS — Self-signed certificate for encrypted local traffic (opt-in for paranoid users).
Unauthorized plugin loading FlowState or attacker loads unwanted plugin	Medium	Plugin allowlist — Users explicitly enable each plugin. No auto-scanning or silent loading.

Core Security Features

🔐

Localhost Only

Bridge binds exclusively to 127.0.0.1. External connections are impossible — rejected at the network layer before reaching Bridge code.

✅

Origin Verification

Every WebSocket connection must pass origin verification. Only *.flowstatedaw.com origins are accepted. Malicious websites are blocked.

🛡️

Process Isolation

Plugins run in isolated child processes with limited permissions. A plugin crash or exploit attempt is contained and cannot affect the Bridge core or other plugins.

🔑

Session Tokens

Cryptographic one-time tokens authenticate each browser session. Tokens are generated locally, never transmitted over the network, and expire after use.

📋

Plugin Allowlist

Users must explicitly approve each plugin before it can be loaded. No automatic scanning of your plugin folders — you control exactly what Bridge can access.

🔍

Third-Party Audit

Before public release, the Bridge codebase will undergo a security audit by an independent firm specializing in desktop application security.

A Note on Plugin Security

VST and AU plugins run as native code with full user privileges. This is true in every DAW — Ableton, Logic, FL Studio, Pro Tools, and now FlowState Bridge.

Best practices for plugin safety:

Only install plugins from trusted sources (official vendor websites, Splice, Plugin Boutique)
Avoid "cracked" or pirated plugins — they're a common malware vector
Keep plugins updated to patch security vulnerabilities
On macOS, prefer plugins that are notarized by Apple
Use the Bridge allowlist to only enable plugins you actively use

FlowState Bridge cannot protect you from malicious plugins — no DAW can. But it also doesn't make the risk any worse than running plugins in a traditional DAW.

Pricing

FlowState Pro

$9.99/mo

Bridge included with Pro subscription

FlowState Bridge access
Unlimited cloud storage
Priority AI generation
Advanced vocal processing
Stem separation
Export in all formats

Get Pro →

Bridge Standalone

$49one-time

For users who just need the bridge

FlowState Bridge app
VST3 & AU support
Unlimited plugins
Preset management
Lifetime updates
Works with free FlowState

Coming Soon

Frequently Asked Questions

What plugins will work with Bridge?

Any VST3 or Audio Unit plugin installed on your system. This includes instruments like Serum, Omnisphere, and Kontakt, as well as effects like FabFilter, Waves, and iZotope plugins. VST2 plugins are not supported due to licensing restrictions.

What about latency?

Bridge is designed for real-time use. We're targeting under 50ms total round-trip latency, which is comparable to running plugins natively. The exact latency depends on your buffer settings and system performance.

Do plugins run in the cloud?

No. Plugins run entirely on your local machine. The Bridge app handles all audio processing locally. FlowState in the browser sends and receives audio to/from your computer — nothing goes to the cloud.

Will plugin GUIs be visible?

Yes. Plugins open in their native windows on your desktop. You control parameters from either the plugin's native UI or from FlowState's parameter controls in the browser.

Is this different from running a local DAW?

Bridge combines the best of both worlds: FlowState's modern, AI-powered, collaborative workflow in the browser, plus access to your professional plugin collection that requires a native host. You get cloud accessibility with desktop power.

What operating systems are supported?

Bridge will be available for macOS (Apple Silicon and Intel) and Windows. Linux support is being evaluated based on demand.

When will Bridge be available?

We're currently in the research and architecture phase. Sign up for FlowState Pro to get early access when the beta launches.

Stay Updated

Be the first to know when FlowState Bridge enters beta.

Get FlowState Pro →