Appearance
Publishing & review
Apps on Stayblox follow a self-service partner workflow: you create and manage apps through the Developer section in the panel (visible to verified partners), test on your own teams without review, then submit for review when ready to publish.
Access requires a verified partner account. See the partner documentation for how to become a verified partner — the same verification gate applies to both apps and themes.
Creating an app
- Open the panel → Developer → Apps → New app.
- Enter a name and select the app type (
remote,payment,channel, orinjection). - The app is created in draft state with credentials issued immediately.
Credentials
Once created, the Developer panel shows your app's credentials:
| Credential | Description |
|---|---|
| Client ID | Public identifier for your app — used as client_id in OAuth flows and signed in JWTs. |
| Client secret | Symmetric secret for verifying embedded-page JWTs and for the OAuth token exchange. Treat like a password. |
The client secret is shown once on creation; use Reveal to view it afterwards (the panel re-decrypts it). Use Rotate to generate a new secret immediately — useful after an accidental exposure. Existing tokens remain valid after rotation; embedded-page JWTs signed with the old secret will fail verification once rotated, but hosts' panel sessions simply reload (a fresh JWT is minted on the next panel load).
Editing the manifest
The Developer panel provides a structured manifest editor — Filament forms for every manifest key:
- Scopes — multi-select from the catalog.
- Webhooks — topic picker (invalid combinations blocked; missing scopes flagged).
- Metafields — repeater with owner, key, type, and visibility fields.
- Settings schema — field builder with key, type, label, required toggle, and default.
- App page URL — validated
https://field. - OAuth redirect URIs — list of validated
https://URIs. - Injections — repeater with slot picker and template textarea.
- Payment / Channel — protocol-specific fields shown for those types only.
Manifests are validated on every save. Validation errors appear inline; saving with errors is blocked.
Dev installs
Before submitting for review, install your draft app on any team you own directly from the Developer panel (Install on team). Dev installs skip review and use the current draft manifest — they're designed for local development and integration testing.
Dev installs work exactly like published installs:
- A per-install API token and webhook secret are generated.
- Scopes, metafields, and write mutations all work normally.
- The app page (if declared) renders in the panel.
- OAuth flows work with your registered redirect URIs.
Remove a dev install when you're done testing to clean up.
Submitting for review
When the manifest is ready, click Submit for review in the Developer panel. Submission snapshots the current manifest into an app_version record.
What happens at submission
Automated checks (immediate):
| Check | Detail |
|---|---|
| Manifest schema valid | All fields pass the same validation run on save. |
| Scopes real values | Every scopes entry is a known AppScope. |
| Topics real values | Every webhooks.topics entry is a known WebhookTopic. |
All URLs https:// | No http:// or insecure URLs anywhere in the manifest. |
| Injection templates | Pass the sanitizer — no inline scripts, only trusted origins. |
| Webhook endpoint responds | If you have a webhook URL, Stayblox sends a signed challenge ping and checks for a valid acknowledgment. |
Automated check results are shown immediately in the version history. Failures block human review but don't prevent re-submission after fixing.
Human review (typically within 2 business days):
A Stayblox reviewer checks:
- The app does what the manifest says.
- Requested scopes are proportionate to the app's stated purpose.
- Injection templates render safely and load only from declared origins.
- The app page (if declared) is reachable and functional.
The reviewer can approve or reject with notes.
Scope escalation
If the submitted version requests new scopes that weren't in the previously approved version, the review flags this prominently. On approval:
- The new manifest goes live.
- Existing installs keep running on their old
granted_scopes. - A "Requests new permissions" banner appears on the app's settings page and on hosts' My Apps list.
- Hosts who approve the new scopes have their
granted_scopesupdated.
Until a host approves, any API call or webhook delivery that needs a new scope is denied with a userErrors response — your app must handle this gracefully.
Version history
The Developer panel shows every submitted version with:
- Submission date and who submitted.
- Status:
draft→submitted→approvedorrejected. - Automated check results.
- Reviewer notes (on rejection).
- Whether the version introduced a scope escalation.
Only the current approved version is live to hosts. Submitting a new version doesn't take anything offline — the current approved manifest keeps serving until the new version is approved.
First-party (native) apps
First-party apps built by the Stayblox team (type: native) bypass the review pipeline. The manifest validator still runs, but no version record is created and no human review is required. This path is not available to partners.
Marketplace listing
Your app appears in the marketplace once it has at least one approved version and passes the billing publish gate (confirming your partner account is in good standing). Draft apps and apps pending first review are not listed.
The marketplace listing uses your app's name and description from the manifest. App-store marketing pages (screenshots, detailed feature lists) are managed separately by the Stayblox team.
Checklist
- [ ] Verified partner account active.
- [ ] App created in the Developer panel with the correct type.
- [ ] Manifest edited and saved without validation errors.
- [ ] Dev install tested on your own team — API calls, webhooks, app page, OAuth all working.
- [ ]
client_secretstored securely in your server's environment (not in source code). - [ ] Submitted for review.
- [ ] Automated checks pass.
- [ ] Human review approved.