> ## Documentation Index
> Fetch the complete documentation index at: https://docs.salesive.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Building Salesive Apps

> Build third-party apps that merchants install on their stores to extend Salesive with your own functionality.

A **Salesive App** is a third-party integration that a merchant installs on their store.
Your app runs on your own infrastructure and talks to the Salesive API on the merchant's
behalf — reading and writing orders, products, customers and more — using permissions the
merchant explicitly grants during install.

Apps use **OAuth 2.1 with PKCE**, so merchants never share their password or API keys with
you. Instead, they approve a consent screen that lists exactly what your app can access, and
Salesive issues your app a token scoped to that one store.

<Note>
  Apps are different from **Themes** (your storefront's look) and **Integrations** (pre-built
  pixel/analytics connectors). An App is *your own* product, published to the Salesive Apps
  marketplace, that any merchant can discover and install.
</Note>

## What you can build

<CardGroup cols={2}>
  <Card title="OAuth, not credentials" icon="shield-halved">
    Merchants grant access through a consent screen. Your app receives a scoped, revocable
    token — never the merchant's login.
  </Card>

  <Card title="Per-store install" icon="store">
    Each install binds your app to one store. The token can only ever touch that store's data.
  </Card>

  <Card title="Work with store data" icon="plug">
    Read and write orders, products, customers, categories, shipping, discounts and blogs —
    gated by the scopes you request.
  </Card>

  <Card title="Publish to the marketplace" icon="rocket">
    Submit your app for review and list it so merchants can find and install it from their
    dashboard.
  </Card>

  <Card title="Get events via webhooks" icon="bell">
    Receive real-time, signed webhook deliveries when store data your app can access changes —
    no polling. See [Webhooks](/apps-api/webhooks).
  </Card>
</CardGroup>

## How apps work

<Steps>
  <Step title="Register your app">
    Create an app in the Salesive dashboard's **Developer console** (Apps → Developer). You
    receive a `client_id` and a `client_secret`, and you declare your redirect URIs and the
    scopes (permissions) your app needs.
  </Step>

  <Step title="A merchant installs it">
    From the Apps marketplace, the merchant launches your install URL. They're taken to a
    Salesive consent screen that shows the permissions you requested and the store they're
    installing on, and they approve.
  </Step>

  <Step title="Salesive issues a token">
    Your server exchanges the returned authorization code (plus your PKCE verifier and client
    secret) for an access token and refresh token, bound to that store and those scopes.
  </Step>

  <Step title="Your app calls the API">
    Send the access token as a `Bearer` token on requests to the Salesive API. Salesive
    enforces the granted scopes and automatically scopes every request to the installed store.
  </Step>
</Steps>

## Key concepts

| Concept          | What it is                                                                                                                                                                                     |
| ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **App**          | Your OAuth client + marketplace listing. Identified by a `client_id` (prefixed `app_`).                                                                                                        |
| **Installation** | The record of your app installed on one store, with the scopes the merchant granted. It is the source of truth — when a merchant uninstalls, all of the app's tokens stop working immediately. |
| **Scope**        | A granular permission (e.g. `READ_ORDERS`, `WRITE_INVENTORY`) the merchant approves at install. See [Scopes & permissions](/apps/scopes-permissions).                                          |
| **Access token** | A short-lived bearer token (prefixed `app_`) used to call the API. Refreshed with a long-lived refresh token.                                                                                  |
| **Webhook**      | An optional HTTPS endpoint Salesive POSTs signed events to whenever data your app has permission for changes. See [Webhooks](/apps-api/webhooks).                                              |

## Before you start

<Note>
  You'll need a Salesive account to access the **Developer console** (Apps → Developer in your
  store dashboard), and a server that can hold your `client_secret` and complete the OAuth
  token exchange. Apps are headless — Salesive does not host your app's UI.
</Note>

## Next steps

<CardGroup cols={2}>
  <Card title="Install flow (OAuth + PKCE)" icon="arrow-right-to-bracket" href="/apps/oauth-install">
    Implement the end-to-end authorization and token exchange.
  </Card>

  <Card title="Scopes & permissions" icon="key" href="/apps/scopes-permissions">
    See every scope your app can request and how enforcement works.
  </Card>

  <Card title="Build & publish" icon="rocket" href="/apps/building-publishing">
    Register your app, list it, and submit it for review.
  </Card>

  <Card title="Webhooks" icon="bell" href="/apps-api/webhooks">
    Receive signed, scope-gated store events at your endpoint in real time.
  </Card>
</CardGroup>