Ready to maximize your revenue?Book a Demo
TOPCODE
App Store

The Shopify App Review process explained (2026 edition)

Last updated on June 2, 2026

The Shopify App Review process explained (2026 edition)

TOPCODE

The Shopify App Review process is the gate between your finished development work and a publicly listed app on the Shopify App Store. In 2026 the review is stricter and more thorough than it was even two years ago — Shopify has invested significantly in review quality to protect merchants from low-quality or security-problematic apps. Understanding how the review works, what reviewers actually look at, and what happens when something is rejected is essential knowledge for any developer planning an App Store submission.

What the review process covers

The App Review covers four distinct areas. First, the app listing itself — your app's name, description, screenshots, pricing, and feature list must be accurate and complete. Second, the technical implementation — reviewers install your app on a test store and verify that the OAuth flow works, that GDPR webhooks function correctly, that billing is implemented correctly, and that the UI follows Shopify's design guidelines. Third, the app's API usage — scope declarations are cross-referenced against actual API calls. Fourth, security — apps must use HTTPS everywhere, implement proper CSRF protection on state-modifying endpoints, and not expose API keys in client-side JavaScript.

The review is done by Shopify's partner review team — actual human reviewers, not an automated scanner. The automated checks (broken links in listings, missing screenshots, obvious configuration errors) are filtered out before the human review begins, so by the time a person looks at your app it should have already passed basic automated checks.

Timeline: how long does review take?

As of 2026, Shopify's published target for initial reviews is 5 business days. In practice, most new apps see a first response within 3–7 business days. Re-reviews after addressing rejection feedback typically move faster — 2–3 business days — because the reviewer already knows your app and only needs to verify the specific issues were fixed.

Review times increase significantly during peak periods — particularly November (leading up to BFCM), January (after BFCM when many developers submit holiday-delayed work), and when Shopify releases a major platform change that triggers many apps to resubmit. If you're targeting a specific launch date, submit at least 2 weeks before you need to go live and build in buffer for at least one round of feedback.

What happens during the technical review

The reviewer installs your app on a clean development store. They walk through the OAuth installation flow — verifying the permission request screen shows only the scopes you declared, that the installation completes without errors, and that the app's initial landing page loads correctly. They then navigate through the app's primary functionality as documented in your app listing.

For apps with billing, the reviewer tests the charge flow by going through the payment confirmation in test mode. They verify the charge amount and interval match the listing, that declining the charge doesn't break the app, and that accepting the charge properly unlocks the relevant features. They check that you're not charging through any channel other than Shopify Billing.

The reviewer fires all three GDPR webhooks using the Shopify CLI or the Partner dashboard's webhook testing tools. They verify each endpoint returns a timely 200 response. They may also check the network tab of your embedded app to verify no API keys or sensitive tokens are visible in client-side JavaScript.

Understanding rejection feedback

Rejection notices come via email and include a list of specific issues with references to the relevant policy or guideline. Each issue includes a category (Technical, Design, Listing, Security), a description of the problem, and a link to the relevant documentation. The feedback is specific enough to act on — if a reviewer says 'your app has multiple primary buttons on the Settings page', they mean the Polaris guideline about single primary actions per context, not a vague quality concern.

One common trap: reviewers only report the issues they found during their specific session. If your app has 5 issues and you fix only 3 and resubmit, the reviewer may find different issues in the next session — not necessarily the 2 you left unfixed. It's worth fixing every issue you can identify before resubmitting, even ones not mentioned in the rejection notice.

The Partner dashboard review checklist

Before submitting, Shopify now provides a self-assessment checklist inside the Partner dashboard. The checklist covers the same areas the reviewer will check: API scopes, GDPR webhooks, billing, design compliance, and listing completeness. Completing this checklist won't guarantee approval, but it significantly reduces the risk of a rejection on a preventable issue. Find it under Apps > [Your App] > Distribution > App Store > Review requirements in your Partner dashboard.

The review process is ultimately protecting merchants — the same merchants who will pay for your app. A thorough self-review before submission is worth the time investment. The developers who consistently get through review on the first attempt are not the ones with the cleverest code — they're the ones who treat the review checklist as an engineering spec and ship to it.

Frequently asked questions

Can I appeal a rejection decision?

Yes, through the Partner dashboard's support ticket system. If you believe a rejection was incorrect — particularly if a reviewer misunderstood how a feature works — you can reply to the rejection notice or open a support ticket explaining your reasoning. In practice, appeals succeed most often when the reviewer made a factual error (e.g., they couldn't find a feature because onboarding wasn't clear). Appeals on subjective design issues are less likely to succeed; it's usually faster to fix the issue.

Does my app get re-reviewed every time I update it?

Minor updates — bug fixes, performance improvements, UI tweaks — typically don't trigger a full re-review. You push a new version and it goes live automatically. Scope changes, new extension types, new billing plans, or changes to the OAuth callback URL all require a re-review. Shopify will notify you in the Partner dashboard if your update has triggered a review queue entry.

What happens if my app gets rejected three times?

There's no automatic penalty for multiple rejections — you can resubmit as many times as needed. However, repeated rejections for the same issues can flag your app for closer scrutiny. If you're stuck in a rejection loop, use the Partner dashboard thread to communicate directly with the review team and ask for a clarification call. Shopify does offer review consultations for complex cases.

App listing requirements in detail

The listing review checks your app's name, subtitle, description, screenshots, support URL, and privacy policy URL. Your privacy policy must be hosted at a live URL that's accessible without login, and it must specifically address how merchant and customer data is stored and handled. A generic privacy policy template that doesn't mention Shopify, stores, or the specific types of data your app accesses will be flagged.

Screenshots must show the actual current UI of your app, not mockups or designs. They should show the app installed and functioning — not empty states or loading spinners. Shopify recommends at least 3 screenshots covering the main features. If your app has a mobile or tablet view, include screenshots at those sizes too. Screenshots are the first thing a potential customer sees on your listing; they're worth spending time on.

Your app description should lead with the primary problem it solves, not with your company name or a generic tagline. Reviewers flag descriptions that overstate functionality ('the most powerful X on the market'), make unverifiable claims ('increase revenue by 40%'), or describe features that are in development but not yet in the submitted version. Describe exactly what the app does today, not your roadmap.

After approval: maintaining compliance

Getting approved is not the end of the compliance story. Shopify conducts periodic audits of live apps — particularly apps with significant installs. Apps that were approved under older guidelines may be flagged under updated requirements. Shopify publishes a developer changelog at shopify.dev that includes policy changes alongside technical changes. Subscribe to it and review it monthly to catch any new requirements before they become review issues.

The most common post-approval compliance issue is scope creep — adding new API calls that exceed the declared scopes. If you add a feature that calls a mutation requiring a new scope, that new scope needs to be declared in your shopify.app.toml and re-reviewed. Merchants who already have your app installed will see a permission upgrade prompt the next time they visit your app. This creates friction; planning your scope requirements for at least 6 months of features during the initial submission reduces how often you trigger this flow.

Senior Shopify Engineer

Frances Chen

Keep reading