Skip to main content

Prerequisites

  • An OrderProtection account — every account can build apps (an account owner can build private apps for their own stores; third-party developers build public apps)
  • A server that can receive HTTPS callbacks (for redirect URIs) — OrderProtection delivers the authorization code there at install time

Create your app

1

Navigate to Developer Apps

In the OrderProtection dashboard, click Developer in the left sidebar. This opens the Developer Apps page where you can manage all your applications.
2

Click Create New App

Click the Create New App button in the top-right corner. A modal will open with the app configuration form.
3

Choose visibility

Select the visibility for your app:
  • Public — Your app will be listed in the marketplace after review and approval. Any OrderProtection merchant can discover and install it.
  • Private — Your app is only available to your own account’s stores and is never listed in the marketplace. It goes live via Publish (see Private apps below) — no admin review unless it requests admin-gated scopes.
4

Fill in app information

Provide the following details:
FieldRequiredDescription
NameYesThe display name for your app
DescriptionNoWhat your app does — shown to merchants during install
Website URLNoYour app’s marketing or documentation site
Privacy Policy URLNoLink to your privacy policy
App LogoNoA square image representing your app
CategoryNoHelps merchants discover your app (Analytics, Marketing, Shipping, etc.)
5

Add redirect URIs

Add at least one redirect URI. This is the URL where OrderProtection will deliver authorization codes when merchants install your app.
https://yourapp.example.com/callback
Redirect URIs must use HTTPS in production. You can use http://localhost for local development.
6

Configure webhooks (optional)

If your app needs to react to real-time events, provide a webhook URL and select the event topics you want to subscribe to. See the Webhooks guide for details.
7

Configure embedding (optional)

If you want your app’s UI to appear inside the merchant dashboard:
  1. Enable the Embedded Mode toggle
  2. Enter your App URL — the page that will be loaded in an iframe
See Embedded Apps for the full setup guide.
8

Select scopes

Choose the permissions your app requires. For each scope, you can mark it as:
  • Required — The merchant must grant this permission to install your app
  • Optional — The merchant can opt out of this permission during installation
See the Scopes Reference for the full list of available permissions.
9

Save and store your credentials

Click Create. You will receive:
  • Client ID — A public identifier for your app (e.g., op_app_fc6767b5...)
  • Client Secret — A private key used to exchange authorization codes for tokens
Store your client secret securely. It is only displayed once at creation time. If you lose it, you can rotate it from the app detail page, but this will invalidate the previous secret.

App status lifecycle

Public apps go through a review process before they are listed in the marketplace:
StatusDescription
DraftInitial state. Your app is not visible to merchants.
In ReviewYou have submitted your app for review. The OrderProtection team will evaluate it.
ApprovedYour app is approved and listed in the marketplace. Merchants can install it.
RejectedYour app did not pass review. You will receive feedback and can resubmit.
SuspendedA previously approved app that has been suspended by an admin.
To submit a public app for review, navigate to its Submission tab and click Submit for Review (it must have a name, description, and at least one redirect URI). Private apps go live via Publish instead — see below.

Private apps

Private apps are for your own account’s stores and never appear in the public marketplace. They’re ideal for internal integrations or tools you build for the stores you operate — no separate developer account required. Instead of “Submit for Review,” a private app goes live via Publish (on the app’s Submission tab):
  • No admin-gated scopes → Publish takes the app straight to Approved, with no reviewer involved.
  • Requests admin-gated scopes (e.g., pricing settings) → Publish routes the app to admin review first — the same gate a public app hits, because it’s the same sensitive data. The restricted scopes stay inert until an OrderProtection admin approves it.
Once Approved, install it from App Marketplace → Private (see Marketplace).
Private apps can request admin-gated scopes — they just route through admin review on publish instead of self-publishing. Only the public marketplace listing is off the table.

Managing your app

After creation, you can manage your app from the app detail page:
  • Overview — View credentials, redirect URIs, webhooks, and scopes
  • Edit — Update app information, redirect URIs, webhooks, embedding, and scopes
  • Installations — See which merchants have installed your app
  • Submission — Submit for review or check review status

Rotating your client secret

If your client secret is compromised, you can rotate it from the app Overview tab. Click the regenerate button next to the client secret field. This immediately invalidates the old secret — update your server configuration before rotating.