Getting an app onto the Shopify App Store is one bar; earning Built for Shopify status is a higher one. Having shipped our own apps through review, here is the checklist we actually work to.
1. Authentication done the modern way
Embedded apps must use OAuth with HMAC verification and authenticate the embedded admin with App Bridge session tokens, not cookies. Access tokens should be stored encrypted, and App Bridge must load from Shopify's CDN before anything else.
2. The mandatory webhooks
All three GDPR/compliance webhooks, customers/data_request, customers/redact and shop/redact, must be implemented, HMAC-verified on the raw body, and actually do what they claim. app/uninstalled should clean up tokens and data.
3. Billing through Shopify only
Every charge runs through the Shopify Billing API (recurring plus capped usage where relevant). No external payment flows. Test charges should be gated behind a flag.
4. Performance is a feature
The embedded admin is held to a Core Web Vitals budget (LCP, CLS, INP). Heavy data should never block first paint, and large payloads, like video, should go directly to storage, never through your server.
5. Data minimisation
Request the narrowest OAuth scopes you can justify, store only what you need, and delete it on redaction. Reviewers notice over-broad scopes.
None of this is exotic, but all of it has to be right at the same time. That is the difference between "it works on my dev store" and an app that passes review and keeps merchants' trust.
Need an app built to this standard? See our custom Shopify app development service, or browse the apps we've published.