[object Object]

Most Marketplace app rejections we see are not feature problems. They are OAuth implementation problems. Freshworks reviewers are strict about three things: token storage, scope minimization, and refresh failure handling.

Use the platform OAuth handler, not your own

Hand-rolling an OAuth 2.0 flow in a Marketplace app is a rejection magnet. Define the OAuth in config/oauth_config.json and let the platform manage the token exchange.

{
  "client_id": "<%= iparam.client_id %>",
  "client_secret": "<%= iparam.client_secret %>",
  "authorize_url": "https://accounts.example.com/oauth/authorize",
  "token_url": "https://accounts.example.com/oauth/token",
  "options": { "scope": "read write" },
  "token_type": "account"
}

Pick account vs agent token type carefully

account token types are stored once per install and shared. agent tokens are per-user. Use agent only when actions must be performed as the logged-in agent for audit trail reasons. Reviewers reject account tokens used for personal operations, and vice versa.

Refresh token failures are silent killers

The platform refreshes tokens automatically, but only when your request fails with 401. If the upstream returns 403 or 200-with-error-body, you must explicitly invoke $request.invokeTemplate with isOAuth: true and handle the rejection.

$request.invokeTemplate("getDeals", { context: { dealId } })
  .then(handleSuccess)
  .catch(err => {
    if (err.status === 401) renderReauthBanner();
  });

Iparams hygiene

Never store secrets in install parameters as plain strings. Use the secure flag on each iparam so the value is encrypted at rest. Listing this in your submission notes shortcuts the review back-and-forth.

Scope minimization

Request the minimum scopes you need for the documented features. If your app description says “syncs deals,” do not also request users.write. Reviewers diff scope vs feature list.

What to do this week

Move OAuth config into oauth_config.json, mark every credential iparam as secure, audit your scope list against your feature list, and add a re-auth banner for non-401 token failures.

[object Object]
Share