Review the following best practices before submitting your app to the App Marketplace.
RFC 6749 discusses OAuth security considerations, recommendations, and requirements. Here’s a summary of important items applicable to apps:
For details, see Security Considerations in RC6749. For a list of the top web application security risks and best practices to avoid them, see OWASP Top Ten.
For recommendations on API request-related best practices, including rate limits, threading, parallel requests, and the finer points of request headers, see our article on Best Practices.
Rather than polling endpoints, get notified when updates occur by subscribing to webhooks.
The BigCommerce SDK keeps apps synchronized with the control panel. To use it, load the SDK at the top of your application’s main index. Since it runs as frontend code, it must be executed in the browser to function properly.
Run the following command to import the library:
Next, initialize the SDK. This should be done in the first part of the application that has access to the window object. In React-based applications, including Next.js, this can be done inside of useEffect or componentDidMount (for class components).
To enhance security, you can pass an onLogout callback, which triggers when a user logs out of the control panel—even from a separate tab. For example, the Next.js sample app calls an internal API to remove the user from the active session. See the following example for more details.
Merchants often have more than one person who can access a store’s control panel. BigCommerce allows additional users to access an app when the store owner has granted them appropriate permissions. The requirements for supporting multi-user app access are:
store_hash, rather than a user’s info.In the payload returned when a user launches an app, users are distinguished by owner_email versus user_email. If these two emails match, the user is the store owner.
Enabling user removal is optional. If you want merchants to be able to remove users, you can do so by writing a remove_user callback and adding its URL to your app’s Developer Portal profile. For more advanced implementations, you can enable the store owner to grant specific permissions to different non-admin users. For example, person1@example.com could be permitted to edit product inventory but not view orders. If you decide to implement user permissions in your app, it’s a great feature to advertise.
For more information, see Multi-User Support.
BigCommerce hosts Google Cloud Platform in the us-central1 region; maximize performance by hosting in the same region.