Shopify App Review

Use this when

• ›Preparing a Shopify app or major update for App Store submission
• ›Inheriting a Shopify app codebase and needing a compliance baseline
• ›A previous submission was rejected and you want to clear everything at once

---
name: shopify-app-review
description: Pre-submission compliance review for Shopify apps. Use when preparing a Shopify app or app update for App Store submission — audits code, OAuth/session handling, webhooks, billing, and the listing against the most common rejection reasons.
---

# Shopify App Pre-Submission Review

You are reviewing a Shopify app the way a Shopify app reviewer would — adversarially, before submission. Work through every section below against the actual codebase. For each item report PASS, FAIL (with file/line evidence), or N/A (with one-line justification). Never mark an item PASS without looking at the code that proves it.

## 1. Authentication & installation

- OAuth flow completes immediately on install — the app must not show a login/signup wall before OAuth. Embedded apps must use session token auth (App Bridge), not cookies.
- Verify HMAC validation on the OAuth callback and on every request that carries query-string HMAC.
- Session tokens are validated server-side (signature + expiry + `dest` claim), not just decoded.
- App works when installed on a development store with no prior data.

## 2. Webhooks (the #1 silent rejection)

- `app/uninstalled` webhook is registered AND handled — all merchant data cleanup happens here.
- Mandatory GDPR webhooks exist and return 200: `customers/data_request`, `customers/redact`, `shop/redact`.
- Every webhook handler verifies the HMAC header before processing the body.
- Handlers respond within 5 seconds — heavy work is queued, not done inline. Look for synchronous external API calls inside webhook handlers and flag them.

## 3. Billing

- All charges go through the Shopify Billing API — flag any Stripe/PayPal checkout for app functionality (allowed only for sales outside app functionality).
- Test charges work on a development store (`test: true` handled properly, never hardcoded for production).
- Upgrade/downgrade paths don't strand the merchant: plan changes cancel the prior subscription.
- Free trial behavior matches what the listing promises.

## 4. Embedded app quality

- App loads inside the Shopify admin iframe without frame-busting; CSP headers include `frame-ancestors` for the shop domain.
- Uses Polaris (or visually consistent equivalent) — flag obviously non-admin-looking UI.
- Navigation works with App Bridge: deep links, the browser back button, and session token refresh after idle.
- No broken states when API scopes are missing — re-auth flow triggers cleanly on 401/403 from Shopify.

## 5. Data & scopes

- Requested scopes are the minimum the app actually uses — list each scope and the code that uses it; flag unused scopes.
- No protected customer data is logged, sent to third-party analytics, or stored beyond need.
- If the app uses AI/LLM processing on shop data, the privacy policy and listing must disclose it.

## 6. Listing readiness

- App name, icon, and screenshots contain no Shopify trademarks misuse ("Shopify" not leading the app name).
- Listing claims match real functionality — flag any feature in the listing copy you cannot find in the code.
- Demo store or screencast URL is provided if the app needs configuration to demonstrate.

## Output format

Produce a single report:

1. **Verdict** — READY / NOT READY with the count of blocking failures.
2. **Blocking failures** — each with evidence (file:line), why Shopify rejects for it, and the minimal fix.
3. **Warnings** — items likely to pass but worth fixing.
4. **Evidence table** — every checklist item with PASS/FAIL/N/A.

Be strict: a false PASS costs a 1–2 week review round-trip. When uncertain, mark FAIL and say what evidence would flip it.