Publishing Guide

Everything it takes to get your web app live — the steps, our automated AI review, and how we keep every listing secure.

Submit your app View API docs

Before you start

A developer account with a completed developer profile.
A live web app served over HTTPS — HTTP URLs are rejected.
At least one (up to three) categories so your app is discoverable.
A name (2–60 chars), tagline (10–120) and description (50–5,000).
Ideally an embeddable app, so users can try it in the sandbox.

The 4-step submission wizard

Step 1

Basic information

Name, tagline and description
1–3 categories (your app appears under each)
Pricing, maturity & format · plus up to 10 tags

Step 2

URLs & verification

Website + app URL (HTTPS only) and optional links
A live embed check runs as you type the app URL
Not embeddable? It opens in a new tab instead

Step 3

Media & features

App icon (512×512) and up to 5 screenshots
Capabilities — PWA, offline, mobile optimised
Sandbox permissions — request only what you need

Step 4

Preview & submit

Live preview of your marketplace card
A summary of every detail you entered
Submit → created privately, enters review

What happens after you submit

Created privately, then straight into the automated pipeline — most low-risk apps go live within minutes.

Automated AI review

A Claude-powered reviewer checks the app is legitimate, that permissions match what it claims, and flags phishing or misleading claims. Your input is treated as untrusted.

Risk classification

In parallel it’s graded on a five-level risk scale. Sensitive permissions raise the level, and the model can only ever raise the risk, never lower it.

Embed & screenshot

We re-check embed compatibility and auto-capture a screenshot so your listing looks complete from day one.

Auto-approved

Approve + Minimal risk → published instantly, no waiting.

Manual review

Anything in between waits for a human moderator’s call.

Rejected

Reject, or High/Unacceptable risk → rejected with feedback.

How risk is classified

Fewer sensitive permissions → lower risk, faster live.

MinimalNo sensitive permissions. Eligible for instant auto-approval.

LimitedOne sensitive permission, or minor concerns.

ElevatedTwo sensitive permissions — routed to a human.

HighThree+ sensitive permissions. Auto-rejected.

UnacceptableViolates our policies. Auto-rejected.

App statuses

Track where your app is from your dashboard.

Draft — Created, not yet through review.

In review — Checks running or awaiting a moderator.

Published — Live and discoverable.

Rejected — Did not pass — feedback provided.

Suspended — Auto-suspended after repeated failures.

Deprecated / Archived — No longer maintained, or removed.

How we keep submissions secure

Sandboxed by default
Embeddable apps run in a locked-down iframe — they can’t reach the parent page or other apps.
SSRF-safe URL checks
Every URL is fetched through a guarded client that blocks private/loopback/metadata addresses.
Input sanitisation
All text you enter is sanitised server-side before storage, preventing XSS in your listing.

Full model: Security · Developer Agreement

After you’re live

Uptime monitoring· Every 15 min
Health-checks mark your app Healthy, Degraded or Down.
Nightly security scan· Daily
Re-scans for HTTPS, CSP and security headers; Pass / Warn / Fail.
Version drift detection· Every 6h
Spots content changes and nudges you to publish a new version.
Auto-suspension· Hourly
Repeated downtime or failed scans auto-suspend until fixed.

Tips for a fast approval

Make your app embeddable (avoid X-Frame-Options: DENY / CSP frame-ancestors: none).

Request only the permissions you genuinely use — fewer means lower risk.

Write a clear, honest description that matches what the app does.

Serve over HTTPS with a CSP and security headers.

Add an icon and screenshots so the listing looks complete.

Keep your app online — uptime feeds your trust and suspension status.

Ready to publish?

Completely free, and live within minutes.

Submit your app

The 4-step submission wizard

Step 1

Basic information

Name, tagline and description
1–3 categories (your app appears under each)
Pricing, maturity & format · plus up to 10 tags

Step 2

URLs & verification

Website + app URL (HTTPS only) and optional links
A live embed check runs as you type the app URL
Not embeddable? It opens in a new tab instead

Step 3

Media & features

App icon (512×512) and up to 5 screenshots
Capabilities — PWA, offline, mobile optimised
Sandbox permissions — request only what you need

Step 4

Preview & submit

Live preview of your marketplace card
A summary of every detail you entered
Submit → created privately, enters review

What happens after you submit

Created privately, then straight into the automated pipeline — most low-risk apps go live within minutes.

Automated AI review

A Claude-powered reviewer checks the app is legitimate, that permissions match what it claims, and flags phishing or misleading claims. Your input is treated as untrusted.

Risk classification

In parallel it’s graded on a five-level risk scale. Sensitive permissions raise the level, and the model can only ever raise the risk, never lower it.

Embed & screenshot

We re-check embed compatibility and auto-capture a screenshot so your listing looks complete from day one.

Auto-approved

Approve + Minimal risk → published instantly, no waiting.

Manual review

Anything in between waits for a human moderator’s call.

Rejected

Reject, or High/Unacceptable risk → rejected with feedback.

How risk is classified

Fewer sensitive permissions → lower risk, faster live.

MinimalNo sensitive permissions. Eligible for instant auto-approval.

LimitedOne sensitive permission, or minor concerns.

ElevatedTwo sensitive permissions — routed to a human.

HighThree+ sensitive permissions. Auto-rejected.

UnacceptableViolates our policies. Auto-rejected.

App statuses

Track where your app is from your dashboard.

Draft — Created, not yet through review.

In review — Checks running or awaiting a moderator.

Published — Live and discoverable.

Rejected — Did not pass — feedback provided.

Suspended — Auto-suspended after repeated failures.

Deprecated / Archived — No longer maintained, or removed.

How we keep submissions secure

Sandboxed by default

Embeddable apps run in a locked-down iframe — they can’t reach the parent page or other apps.

SSRF-safe URL checks

Every URL is fetched through a guarded client that blocks private/loopback/metadata addresses.

Input sanitisation

All text you enter is sanitised server-side before storage, preventing XSS in your listing.

After you’re live

Uptime monitoring· Every 15 min

Health-checks mark your app Healthy, Degraded or Down.

Nightly security scan· Daily

Re-scans for HTTPS, CSP and security headers; Pass / Warn / Fail.

Version drift detection· Every 6h

Spots content changes and nudges you to publish a new version.

Auto-suspension· Hourly

Repeated downtime or failed scans auto-suspend until fixed.

Tips for a fast approval

Make your app embeddable (avoid X-Frame-Options: DENY / CSP frame-ancestors: none).

Request only the permissions you genuinely use — fewer means lower risk.

Write a clear, honest description that matches what the app does.

Serve over HTTPS with a CSP and security headers.

Add an icon and screenshots so the listing looks complete.

Keep your app online — uptime feeds your trust and suspension status.

Ready to publish?

Completely free, and live within minutes.

Submit your app