Skip to main content

Build & publish

This page covers registering your app, configuring its listing, and getting it published to the Salesive Apps marketplace.

Register your app

1

Open the Developer console

In your Salesive store dashboard, go to Apps → Developer and choose Create app.
2

Fill in the basics

Give your app a name, tagline, description, icon, and category. Add at least one redirect URI (the callback URL your server handles after consent) and select the scopes your app needs.
3

Save your credentials

On creation you receive a client_id and a client_secret. The secret is shown only once — store it securely. You can regenerate it later if needed.
4

Set your install URL

Set the Install / launch URL to where merchants begin installing — the page on your site that kicks off the OAuth flow. This is what the marketplace “Install” button opens.
Treat the client_secret like a password. Store it only on your server, never in client-side code, a mobile app, or a public repository. If it leaks, regenerate it from the Developer console.

Registering via the API

You can also manage apps programmatically (authenticated with your Salesive dashboard session). Creating an app returns the secret once: 
curl -X POST https://api.salesive.com/api/v1/apps/developer \
  -H "Authorization: Bearer <your-dashboard-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Fulfillment Buddy",
    "tagline": "Auto-sync shipments to your 3PL",
    "redirectUris": ["https://yourapp.com/oauth/callback"],
    "category": "fulfillment",
    "appUrl": "https://yourapp.com/install",
    "scopes": ["READ_ORDERS", "WRITE_SHIPPING"]
  }'
EndpointPurpose
POST /apps/developerCreate an app (returns client_secret once).
GET /apps/developerList your apps.
GET /apps/developer/:idGet one of your apps.
PUT /apps/developer/:idUpdate listing, redirect URIs, or scopes.
POST /apps/developer/:id/regenerate-secretRotate the client secret.
POST /apps/developer/:id/submitSubmit the app for review.
DELETE /apps/developer/:idDelete the app.

Test your app before submitting

While your app is a draft, you can install it on your own store to test the full OAuth flow end to end. Run through the install flow, confirm your token exchange works, and verify your API calls succeed with the scopes you requested.

Submit for review

When your app is ready, submit it for review from the Developer console (or POST /apps/developer/:id/submit). Your app moves through this lifecycle:
1

Draft

Visible only to you. Editable and installable on your own store for testing.
2

Pending

Submitted and awaiting review by the Salesive team.
3

Approved

Published and discoverable in the Apps marketplace. Merchants can install it.
4

Rejected

Sent back with reviewer feedback. Address the feedback and resubmit.
Before submitting, declare at least one scope and make sure your listing (name, description, icon, install URL) is complete. Apps are only listed publicly once approved.

How merchants install your app

Once approved, your app appears in the Apps marketplace inside every merchant’s dashboard. A merchant opens your listing and clicks Install, which launches your install URL and runs the OAuth consent flow. You can also share a direct install link to your listing or install URL from your own marketing site. Installed apps appear under Apps → Installed apps, where merchants can review the granted permissions and uninstall at any time.

Security best practices

Keep the secret server-side

Never ship the client_secret in client code. Complete the token exchange only from your backend.

Always use PKCE

Generate a fresh code_verifier per install and verify state on the callback to prevent CSRF.

Request least privilege

Ask only for the scopes you use. Fewer permissions means higher merchant trust and approval.

Use exact redirect URIs

Register full, exact callback URLs. Salesive rejects redirects that don’t match.

Rotate refresh tokens

Refresh tokens rotate on use — persist the newest one and discard the old.

Handle uninstalls

Treat a 401 “no longer installed” as an uninstall: stop calling the API and purge stored tokens for that store.

Next steps

Review the install flow

The full OAuth 2.1 + PKCE handshake.

Browse scopes

Pick the right permissions for your app.