Many Envoy customers rely on third-party apps to power their workplaces, so it’s important that apps offer a reliable, high-quality experience.
These guidelines don't apply to private apps since they can only access your data.
- Your app should solve a problem, either by adding new functionality to Envoy, or by creating a faster, easier, or more efficient way to do something that already exists within Envoy.
- If it uses the Envoy API it makes sure the data it collects provides real value to a business.
- It requires minimal interaction between the app's developer and the users who are using it to be effective.
All public apps (listed or unlisted) must adhere to these guidelines. Not adhering to these guidelines may lead to having your app removed from the Integration Directory, having your API keys suspended, or being removed from the Envoy Partner program.
- If your app is accessing another company's data it must authenticate using OAuth.
- Your app should request API scopes that are necessary for it to function.
- Your app must include in-app setup instructions that explain how to use it properly.
- Your app must be a stable, finished product when you submit it to be listed on the Integrations Directory. It shouldn't be in beta or an otherwise unfinished state.
- Your app should load quickly and run smoothly. Make sure that you optimize your app to have a fast start-up time (recommended 4 seconds or faster) and fast load times.
- Your app must store salted password hashes instead of actual passwords, as described on OWASP.
- Your app must be protected against cross-site request forgery attacks, cross-site scripting attacks, and other security vulnerabilities.
- Your app must be served over HTTPS using a valid SSL certificate.
- If your app is used by companies based in Europe or companies with users based in Europe, then it's your responsibility to make sure that your app is GDPR compliant.
Updated over 2 years ago