Skip to main content
If your app uses the App SDK, your code will be reviewed by the Attio team before it can be published. This page describes a non-exhaustive list of issues our team will look for during code review.

Security and privacy

  • Sensitive data (e.g. API keys, secrets, or tokens) MUST NOT be exposed in client-side code or exist as unencrypted data anywhere in the codebase.
  • All sensitive data MUST be stored and handled securely.
  • All external API calls MUST be authenticated appropriately.
  • All webhooks received by the app MUST be verified appropriately.
  • PII MUST NOT be sent externally without appropriate consent.
  • PII MUST NOT be logged.

Quality

  • As far as is possible, your app SHOULD be free of runtime errors and unhandled exceptions.
  • Your app SHOULD handle loading and error states gracefully.
  • Your app’s UI SHOULD be responsive and consistent with Attio’s design language.
  • All form inputs MUST be validated correctly.

Production-readiness

  • Your app MUST NOT use any experimental or deprecated API features.