App certification and review without the pain
Treat the certification checklist as acceptance criteria. How to prep the security questionnaire, avoid the common rejections, and pass app review fast.
You built the integration. It works. You submit it to the marketplace, and then it sits. A week later a reviewer sends back a list: a scope you cannot justify, an error case you did not handle, a data question you have no documented answer for. You fix one thing, resubmit, wait again, get another list. What should have been a formality has become a multi-week rework cycle, and the launch date you promised is gone.
This is the most common way app certification goes wrong, and it is entirely avoidable. The pain does not come from the review being hard. It comes from discovering the requirements at the end, when they are expensive to satisfy, instead of at the start, when they are cheap to design in. The fix is a mindset shift: treat the certification checklist as acceptance criteria for the build, not a gate that appears after it.
This guide is an independent overview of how to pass app certification and review without the rework cycle. It does not quote any specific marketplace's named requirements or criteria, because those vary by marketplace and change. What it gives you is the durable approach: how to use the checklist as a spec, how to prepare the security questionnaire as a deliverable, and how to avoid the rejections reviewers issue over and over.
If you are still choosing where to list, the SaaS marketplace strategy guide covers that. This post is about getting through review once you have chosen.
The 60-second version
- Certification feels painful only because teams discover the requirements at submission. Pull the checklist before you scope the build and the review becomes a formality.
- Treat the review checklist as acceptance criteria. Every requirement, scopes, error handling, branding, data handling, becomes a line in your definition of done, not a surprise at the end.
- The security questionnaire is a deliverable, not a form. Prepare a data flow diagram, scope justifications, an auth lifecycle doc, a deletion policy, and a security contact before you submit.
- Request the minimum scopes, and justify each one. Over-broad permissions are the single most common reason a security reviewer pushes back.
- Handle the unhappy paths. Reviewers test what happens when the token expires, the API errors, or the customer uninstalls. Silent failures fail review.
- Most rejections are a handful of repeat offenders. Over-scoping, weak error handling, branding violations, missing data answers, and a broken first-run experience. Pre-empt them and you pass.
- Treat reviewer feedback as a bug list, not a negotiation. Fix, self-audit against the full checklist, and resubmit once, cleanly.
Why certification feels painful (and why it should not)
Every marketplace worth listing in runs a review process. It is there to protect the marketplace's customers from apps that leak data, request more access than they need, break in ways that generate support tickets, or misrepresent the brand. Those are reasonable goals, and a serious enterprise buyer asks for the same assurances. So the review is not an arbitrary obstacle; it is the marketplace doing the diligence your future customers would do anyway.
The pain is a sequencing problem. Most teams build the integration to make it work, submit it, and only then read the review requirements closely. At that point, every requirement they missed is a change to finished, tested code, plus a resubmission and another wait in the queue. The cost of each requirement is highest exactly when they encounter it.
Flip the sequence and the cost collapses. If you pull the review checklist before you write a line of integration code and fold every requirement into your scope, then the requirements are satisfied by construction. The same OAuth scope discipline, error handling, and data-handling commitments that the reviewer checks are things you built deliberately from the start. The review becomes a confirmation of work already done, which is what a smooth certification actually is.
| Approach | When requirements are discovered | What review feels like |
|---|---|---|
| Checklist as gate | At submission, against finished code | A rework cycle of fix, resubmit, wait |
| Checklist as acceptance criteria | Before scoping, designed in from the start | A formality that confirms work already done |
The checklist as acceptance criteria
The core move is to treat the marketplace's review checklist the way you treat any acceptance criteria: as the definition of done that the build must satisfy before it is finished. This is the same discipline we apply to certification in the SaaS marketplace strategy guide, applied in detail here.
Before scoping the integration, pull every document the marketplace publishes about review: the technical requirements, the branding guidelines, the data and security policy, and the security questionnaire itself. Turn each requirement into an explicit acceptance criterion attached to the work. The integration is not done when it works in a demo; it is done when it satisfies every line on that list.
A practical way to organize it is by the categories reviewers consistently evaluate:
| Category | What the reviewer checks | Your acceptance criterion |
|---|---|---|
| Scopes and permissions | You request only what you use, each justified | Every scope mapped to a feature that needs it |
| Authentication | Tokens stored, refreshed, and revoked correctly | A documented, tested auth lifecycle |
| Error handling | The app fails gracefully and informatively | Every unhappy path handled and tested |
| Data handling | Storage, encryption, retention, and deletion are sound | A documented data flow and deletion policy |
| Branding | The listing follows the marketplace's brand rules | Assets and copy reviewed against the guidelines |
| First-run experience | A new user can install and reach value | A tested setup-to-first-action path |
When the build is scoped against this table, the reviewer's feedback list shrinks to nearly nothing, because the things they look for are things you already did on purpose. The teams who experience certification as months are the ones who built first and read the requirements second.
The security questionnaire is a deliverable
The single place most submissions stall is the security review, because the security questionnaire is treated as a form to fill out under time pressure rather than a deliverable to prepare in advance. Prepare it like documentation you would hand an enterprise buyer, because it is the same information, and the work pays off twice.
Five artifacts answer the large majority of what any security reviewer asks:
| Reviewer asks | Have ready |
|---|---|
| How is customer data stored and encrypted? | A data flow diagram and your encryption approach |
| What scopes does the app request, and why? | A scope-by-scope justification, minimum necessary |
| How do you handle token storage, refresh, and revocation? | An authentication lifecycle document |
| What happens to customer data on uninstall? | A documented deletion and retention policy |
| Who is your security contact and disclosure process? | A named contact and a public policy page |
None of this is exotic, and none of it should be written for the first time at submission. The data flow diagram is something you should have anyway. The scope justification falls out of the acceptance criteria above. The auth lifecycle document is your own design written down. The deletion policy is a real commitment you make to customers. The security contact and disclosure process are basic hygiene. Prepare these once and they serve every marketplace review and every enterprise security questionnaire you will ever face. For the underlying security practices these questions probe, the OWASP Application Security Verification Standard is a solid independent reference, and the OWASP cheat sheets give concrete guidance per topic.
The questionnaire is also where the marketplace's terms intersect with your own contracts, data processing and liability in particular. Settle those before submission, not during, so the security review does not stall on a legal question nobody has answered.
Scopes: the most common reason for rejection
If there is one thing a security reviewer pushes back on more than any other, it is over-broad scopes. An app that requests write access to everything when it reads one resource, or asks for a permission with no visible use, reads as a risk, and reviewers reject risk by default. The principle reviewers apply is least privilege: request the minimum access your features actually need, and be able to justify each scope by pointing to the feature that uses it.
The discipline is simple to state and easy to skip under deadline pressure. For every scope you request, name the specific feature that needs it. If you cannot, drop the scope. If you requested broad access early in development because it was convenient and never tightened it before submission, tighten it now, because the reviewer will catch it and you will resubmit anyway. We cover the auth and scope design that makes this clean in handling auth in integrations, and for the API surface itself the OWASP API Security project lays out the risks reviewers are guarding against.
A useful self-check before submission: read your own scope list as if you were the reviewer. For each one, ask "why does this app need this, and what breaks if I remove it?" If you cannot answer crisply, the reviewer will ask the same question and you will be answering it on their timeline instead of yours.
Error handling and the unhappy paths
Reviewers do not just test that your integration works when everything goes right. They test what happens when it goes wrong, because that is where real customers will be, and a silent or confusing failure becomes a support burden on the marketplace. An app that works perfectly in the happy path and falls apart when a token expires or the partner API returns an error fails review for good reason.
The unhappy paths reviewers commonly probe:
- Token expiry and refresh. What happens when the access token expires mid-use? The app should refresh transparently or prompt the user clearly, never fail silently or loop.
- API errors from the other side. When the partner API returns an error or times out, the app should degrade gracefully with a message that says what happened and what to do, not a blank screen or a stack trace.
- Permission changes. If a customer revokes a scope or downgrades access, the app should detect it and handle it cleanly rather than throwing on every call.
- Uninstall and disconnection. When a customer uninstalls, data handling should follow your stated deletion policy, and the disconnection should be clean on both sides.
- Empty and edge states. A brand-new account with no data, a very large account, a rate-limited request: each should behave sensibly.
The error-design work that makes these pass is worth doing for its own sake, since the same error shapes that satisfy a reviewer also reduce your support load. We go deep on it in API error design that speeds up integration. The reviewer's mindset is simple: assume something will go wrong, and check that the app behaves like a responsible adult when it does.
The common rejections, and how to pre-empt them
Across marketplaces, rejections cluster around a short list of repeat offenders. Pre-empt these five and you remove most of the reasons a submission gets bounced.
| Rejection | Why it happens | The pre-empt |
|---|---|---|
| Over-scoping | Requesting more access than the app uses | Map every scope to a feature; drop the rest |
| Weak error handling | Silent or confusing failures on the unhappy paths | Handle and test token expiry, API errors, uninstall |
| Branding violations | Listing assets break the marketplace's brand rules | Review copy and assets against the guidelines before submitting |
| Missing data answers | The security questionnaire has gaps | Prepare the five artifacts as a deliverable in advance |
| Broken first run | A new user installs and cannot reach value | Test the setup-to-first-action path as a new user |
Two of these deserve emphasis. Branding violations are avoidable and frustrating because they have nothing to do with how good your integration is; they are about following the marketplace's rules for how its brand and yours appear together. Read the branding guidelines and check every asset and string before you submit, because an otherwise perfect app gets bounced for a logo used the wrong way.
The broken first run is the subtle one. A reviewer often installs the app as a new customer would, and if the first-run experience is confusing, errors out, or leaves them unsure what to do, that reflects on the marketplace's customers' experience, so it can fail review even when the integration itself is sound. Test the install-to-first-action path with fresh eyes, ideally someone who has never seen it, the same activation discipline that turns installs into engaged users.
How to run a clean submission
Put the pieces together into a sequence that avoids the rework cycle:
- Pull every review document before scoping. Technical requirements, branding guidelines, data and security policy, and the security questionnaire.
- Scope the build with the checklist as acceptance criteria. Each requirement becomes a line in your definition of done.
- Prepare the security questionnaire as a deliverable. The five artifacts, written once, reused everywhere.
- Self-audit against the full checklist before submitting. Read your own scopes, error handling, branding, and first run as if you were the reviewer.
- Submit once, cleanly, with the questionnaire attached. Do not submit a partial app hoping to fix the rest during review.
- Treat feedback as a bug list, not a negotiation. Fix every item, re-run the self-audit, and resubmit once.
Done this way, app review is measured in days for most marketplaces. The variable is almost never the marketplace's speed. It is how prepared the submission was when it arrived.
Common mistakes, and the fix
Discovering requirements at submission. The fix: pull the full checklist and questionnaire before scoping, and treat them as acceptance criteria. Requirements designed in from the start are cheap; requirements bolted on at the end are a rework cycle.
Filling out the security questionnaire under deadline pressure. The fix: prepare the five artifacts, data flow diagram, scope justifications, auth lifecycle, deletion policy, and security contact, as a deliverable in advance. They serve every review and every enterprise buyer.
Requesting broad scopes for convenience. The fix: least privilege. Map every scope to a feature that needs it, justify each one, and tighten anything you grabbed during development before you submit.
Handling only the happy path. The fix: test and handle token expiry, partner API errors, permission changes, uninstall, and edge states. Reviewers probe the unhappy paths because that is where customers end up.
Submitting a partial app hoping to fix the rest in review. The fix: self-audit against the full checklist and submit once, cleanly. Each resubmission is another wait in the queue; one clean submission beats three rushed ones.
FAQ
How long does app certification take? For most marketplaces with a documented review process, days to a couple of weeks once you submit, assuming you treated the checklist as acceptance criteria and prepared the security questionnaire. Deep enterprise reviews can take longer. The variable is rarely the marketplace; it is how prepared the submission is.
What is the most common reason apps get rejected? Over-scoping: requesting more access than the app actually uses. Security reviewers reject risk by default, and an unjustified broad scope reads as risk. Map every scope to a feature that needs it and justify each one, and you remove the single most common rejection.
How do we prepare for the security questionnaire? Treat it as a deliverable, not a form. Prepare a data flow diagram, a scope-by-scope justification, an authentication lifecycle document, a deletion and retention policy, and a named security contact with a disclosure process. These answer most of what any reviewer asks and serve enterprise buyers too.
Do reviewers really test error cases? Yes. Reviewers commonly test what happens when a token expires, the partner API errors, a customer revokes access, or someone uninstalls, because that is where real customers end up and where silent failures create support burden. Handle the unhappy paths and you pass the part most apps fail.
What is the fastest way to pass review? Pull every review document before you scope, build against the checklist as acceptance criteria, prepare the security questionnaire in advance, self-audit as if you were the reviewer, and submit once cleanly. Then treat any feedback as a bug list. Preparation, not speed, is what makes certification fast.
Why did our app fail for branding when the integration works fine? Because certification checks how the marketplace's brand and yours appear together, not just whether the code works. A logo used the wrong way or copy that breaks the guidelines fails review independently of integration quality. Read the branding rules and check every asset and string before submitting.
Further reading
- OWASP Application Security Verification Standard, an independent framework for the security requirements reviewers probe.
- OWASP API Security project, for the API-layer risks that drive scope and data questions in review.
- OWASP cheat sheets, concrete, per-topic guidance on authentication, data handling, and more.
The short version
App certification is painful only when you discover the requirements at submission, against finished code. Treat the review checklist as acceptance criteria from the start, and the review becomes a formality that confirms work you already did on purpose. Prepare the security questionnaire as a deliverable, a data flow diagram, scope justifications, an auth lifecycle, a deletion policy, and a security contact, so the security review does not stall. Request the minimum scopes and justify each one, handle the unhappy paths reviewers test, and pre-empt the five common rejections. Then self-audit, submit once cleanly, and treat any feedback as a bug list.
If you want the whole path handled, from a partner-ready integration through a clean certification and a listing that converts, that is exactly what a Partner Audit is for. We review your product, your API, and your marketplace readiness, then define what to build and how to pass review without the rework cycle.