The app manifest

Your app IS a manifest.json — one reviewable, certifiable, installable document.

Top-level fields

fieldtypenotes
manifestVersion1literal
namestring 2–80listing display name
slug^[a-z][a-z0-9_-]{1,59}$permanent id; first publisher to submit a slug owns it
versionsemverMAJOR.MINOR.PATCH — see Versioning
descriptionstring 10–5000≥ 40 chars to clear listing-quality checks; this is your storefront
categoryenumsales marketing finance productivity support data
iconstring ≤ 8emoji or short glyph
publisherobject{ name, website?, supportEmail? }
permissionsscope[] ≤ 20see below
pricingobject{ model: free|paid, monthlyPriceUsd?, platformShareBps } — 3000 bps = the 70/30 split
connectionobject?connector auth + sync contract — Connector SDK
customObjectsarray ≤ 10Custom objects
workflowTemplatesarray ≤ 20Workflows (typed-DSL nodes)
webhooksarray ≤ 10Webhooks
agentScriptsarray ≤ 5AI agents
uiExtensionsarray ≤ 10https links on record pages / dashboard / settings; {{recordId}}/{{tenantId}} templating
nativeobject?first-party listings mapping to built-in settings pages — not for third-party apps

Permission scopes

leads:read leads:write contacts:read contacts:write opportunities:read opportunities:write tasks:read tasks:write custom_objects:read custom_objects:write workflows:read workflows:write webhooks:manage agents:invoke

Three rules certification enforces:

  1. Every scope must be from the list above (permissions.known).
  2. Everything you provision must be covered — custom objects need custom_objects:write, workflow templates need workflows:write, webhooks need webhooks:manage, agent scripts need agents:invoke (permissions.declared).
  3. Least privilege is reviewed by humans: scopes nothing in the package uses draw warnings and slow review down.

At install, the tenant sees every scope and must acknowledge each one — undeclared access does not exist.

Validation flow

POST /api/marketplace/certify            # dry run, no submission — full structured report
POST /api/marketplace/developer/apps/submit   # certifies AND records the version