> ## Documentation Index
> Fetch the complete documentation index at: https://docs.orderprotection.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Creating an App

> Step-by-step guide to creating and configuring your first OrderProtection app.

## Prerequisites

* An OrderProtection account — every account can build apps (an **account owner** can build private apps for their own stores; third-party developers build public apps)
* A server that can receive HTTPS callbacks (for redirect URIs) — OrderProtection delivers the authorization code there at install time

## Create your app

<Steps>
  <Step title="Navigate to Developer Apps">
    In the OrderProtection dashboard, click **Developer** in the left sidebar. This opens the Developer Apps page where you can manage all your applications.
  </Step>

  <Step title="Click Create New App">
    Click the **Create New App** button in the top-right corner. A modal will open with the app configuration form.
  </Step>

  <Step title="Choose visibility">
    Select the visibility for your app:

    * **Public** — Your app will be listed in the marketplace after review and approval. Any OrderProtection merchant can discover and install it.
    * **Private** — Your app is only available to your own account's stores and is never listed in the marketplace. It goes live via **Publish** (see [Private apps](#private-apps) below) — no admin review unless it requests admin-gated scopes.
  </Step>

  <Step title="Fill in app information">
    Provide the following details:

    | Field              | Required | Description                                                              |
    | ------------------ | -------- | ------------------------------------------------------------------------ |
    | Name               | Yes      | The display name for your app                                            |
    | Description        | No       | What your app does — shown to merchants during install                   |
    | Website URL        | No       | Your app's marketing or documentation site                               |
    | Privacy Policy URL | No       | Link to your privacy policy                                              |
    | App Logo           | No       | A square image representing your app                                     |
    | Category           | No       | Helps merchants discover your app (Analytics, Marketing, Shipping, etc.) |
  </Step>

  <Step title="Add redirect URIs">
    Add at least one redirect URI. This is the URL where OrderProtection will deliver authorization codes when merchants install your app.

    ```
    https://yourapp.example.com/callback
    ```

    <Warning>
      Redirect URIs must use HTTPS in production. You can use `http://localhost` for local development.
    </Warning>
  </Step>

  <Step title="Configure webhooks (optional)">
    If your app needs to react to real-time events, provide a webhook URL and select the event topics you want to subscribe to. See the [Webhooks guide](/developer/webhooks) for details.
  </Step>

  <Step title="Configure embedding (optional)">
    If you want your app's UI to appear inside the merchant dashboard:

    1. Enable the **Embedded Mode** toggle
    2. Enter your **App URL** — the page that will be loaded in an iframe

    See [Embedded Apps](/developer/embedded-apps) for the full setup guide.
  </Step>

  <Step title="Select scopes">
    Choose the permissions your app requires. For each scope, you can mark it as:

    * **Required** — The merchant must grant this permission to install your app
    * **Optional** — The merchant can opt out of this permission during installation

    See the [Scopes Reference](/developer/scopes) for the full list of available permissions.
  </Step>

  <Step title="Save and store your credentials">
    Click **Create**. You will receive:

    * **Client ID** — A public identifier for your app (e.g., `op_app_fc6767b5...`)
    * **Client Secret** — A private key used to exchange authorization codes for tokens

    <Warning>
      Store your client secret securely. It is only displayed once at creation time. If you lose it, you can rotate it from the app detail page, but this will invalidate the previous secret.
    </Warning>
  </Step>
</Steps>

## App status lifecycle

Public apps go through a review process before they are listed in the marketplace:

| Status        | Description                                                                        |
| ------------- | ---------------------------------------------------------------------------------- |
| **Draft**     | Initial state. Your app is not visible to merchants.                               |
| **In Review** | You have submitted your app for review. The OrderProtection team will evaluate it. |
| **Approved**  | Your app is approved and listed in the marketplace. Merchants can install it.      |
| **Rejected**  | Your app did not pass review. You will receive feedback and can resubmit.          |
| **Suspended** | A previously approved app that has been suspended by an admin.                     |

To submit a **public** app for review, navigate to its **Submission** tab and click **Submit for Review** (it must have a name, description, and at least one redirect URI). **Private** apps go live via **Publish** instead — see below.

## Private apps

Private apps are for your **own account's stores** and never appear in the public marketplace. They're ideal for internal integrations or tools you build for the stores you operate — no separate developer account required.

Instead of "Submit for Review," a private app goes live via **Publish** (on the app's **Submission** tab):

* **No admin-gated scopes** → Publish takes the app **straight to Approved**, with no reviewer involved.
* **Requests admin-gated scopes** (e.g., pricing settings) → Publish **routes the app to admin review** first — the same gate a public app hits, because it's the same sensitive data. The restricted scopes stay inert until an OrderProtection admin approves it.

Once Approved, install it from **App Marketplace → Private** (see [Marketplace](/developer/marketplace#private-apps)).

<Note>
  Private apps **can** request admin-gated scopes — they just route through admin review on publish instead of self-publishing. Only the public marketplace listing is off the table.
</Note>

## Managing your app

After creation, you can manage your app from the app detail page:

* **Overview** — View credentials, redirect URIs, webhooks, and scopes
* **Edit** — Update app information, redirect URIs, webhooks, embedding, and scopes
* **Installations** — See which merchants have installed your app
* **Submission** — Submit for review or check review status

## Rotating your client secret

If your client secret is compromised, you can rotate it from the app **Overview** tab. Click the regenerate button next to the client secret field. This immediately invalidates the old secret — update your server configuration before rotating.
