Following best practices

App Development Best Practices

Review the following best practices before submitting your app to the App Marketplace (opens in a new tab).

OAuth flow

Follow security best practices and requirements

RFC 6749 (opens in a new tab) discusses OAuth security considerations, recommendations, and requirements. Here's a summary of important items applicable to apps:

  • Request access tokens with minimal scopes necessary.
  • Serve all redirect URIs over TLS.
  • Keep access tokens confidential in transit and storage.
  • Do not transmit access tokens, refresh tokens, or client credentials in the clear.
  • Do not transmit authorization codes in the clear.
  • Educate end-users about the risks phishing attacks pose.
  • Provide mechanisms that make it easy for end-users to confirm the authenticity of your app.
  • Implement CSRF protection on redirect URI.

For details, see Security Considerations in RC6749 (opens in a new tab). For a list of the top web application security risks and best practices to avoid them, see OWASP Top Ten (opens in a new tab).

API requests

For recommendations on API request-related best practices, including rate limits, threading, parallel requests, and the finer points of request headers, see our article on Best Practices.

Webhook events

Use webhooks to keep app data up-to-date

Rather than polling endpoints, get notified when updates occur by subscribing to webhooks.

User interface

Manage user session timeouts

Add BigCommerce's JavaScript SDK to your single-click app's front-end to prevent users from getting logged out of the control panel while using your app. To do so, reference the following script in your app's client-side code:

To perform some action when a logout occurs, specify an onLogout callback:

      onLogout: callback

Streamline new user onboarding

  • If your app has a new user form, we recommend auto-filling input fields with data from the Store Information API, which manages much of the info you need.
  • If your app doesn't have an approval process for new users, consider automatically generating accounts for new stores that install your app.
  • If your app requires the user to sign in at launch, use the information BigCommerce sends to your callback URL to authenticate the user without asking for a username and password each time.
  • If you plan to share user testimonials, add a link to your full case study in the case studies field.

Offer multi-user access

Merchants often have more than one person who can access a store's control panel. BigCommerce allows additional users to access an app when the store owner has granted them appropriate permissions. The requirements for supporting multi-user app access are:

In the payload returned when a user launches an app, users are distinguished by owner_email versus user_email. If these two emails match, the user is the store owner.

Enabling user removal is optional. If you want merchants to be able to remove users, you can do so by writing a remove_user callback and adding its URL to your app's Developer Portal profile (opens in a new tab). For more advanced implementations, you can enable the store owner to grant specific permissions to different non-admin users. For example, could be permitted to edit product inventory but not view orders. If you decide to implement user permissions in your app, it’s a great feature to advertise.

For more information, see Multi-User Support.


Consider hosting on Google Cloud Platform's us-central1 region

BigCommerce hosts Google Cloud Platform (opens in a new tab) in the us-central1 (opens in a new tab) region; maximize performance by hosting in the same region.

Next steps


Sample apps


Blog posts

Did you find what you were looking for?