Publishing your plugin

This guide takes you from a built, hosted plugin to a listed marketplace plugin that merchants can install.

Overview

Publishing happens in the partner dashboard at https://partner.myorbitcommerce.net. You describe your plugin with a manifest (through a guided wizard or by importing JSON), point its extension points at the HTTPS app you host, request the OAuth scopes you need, optionally configure pricing, and submit it for review. After Orbit reviews it, the plugin is listed on the marketplace.

The lifecycle is:

created -> configured -> submitted for review -> reviewed by Orbit -> listed

Before you start, make sure your plugin is actually built and reachable. See Getting started for the architecture, Scopes for the permission model, and the SDK guide for how your app talks to Orbit at runtime.

Go to https://partner.myorbitcommerce.net.
Register a partner account, or sign in if you already have one.
From the partner dashboard you can create plugins, manage their versions, configure pricing, and submit them for review.

A single partner account can own multiple plugins.

Create a plugin: the 4-step wizard

New plugins are created with a 4-step wizard. If you already have a manifest, you can use JSON import instead of filling the fields by hand — the imported JSON maps to the same fields described below.

Step 1 — Identity

Core listing metadata. Field limits are enforced.

Field	Rules
`name`	Display name, max 30 characters
`pluginId`	Stable identifier, kebab-case, max 50 characters
`shortDescription`	One-line summary, max 100 characters
`description`	Full description, 10–2800 characters
`version`	Semantic version, e.g. `1.0.0`
`category`	One of: `marketing`, `sales`, `analytics`, `shipping`, `payments`, `inventory`, `customer-service`, `design`, `productivity`, `other`
`tags`	Array of free-form tags

The pluginId is your plugin's permanent handle — choose it carefully, since it identifies your plugin across installs and versions.

Step 2 — Integration

How your plugin mounts inside the store dashboard, what it can access, and how it is configured.

extensionPoints[] — where your plugin UI appears. Each entry is { target, url, label? }, where url is the HTTPS address of your hosted app for that mount point. This is the page the store dashboard loads in the iframe.
oauth.scopes[] — the permissions your plugin requests. Use the singular <resource>:<action> convention (for example product:read, order:list). Optionally include oauth.redirectUrls[].
ui.menu — { label?, icon?, position? } for your entry in the store dashboard navigation.
settingsSchema[] — the merchant-facing settings form. Each field is { key, type, title, description?, required?, options? }, where key is lower_snake, type is one of string | number | boolean | select, and options applies to select.

Set every extension point url to your hosted HTTPS app — not localhost. The store dashboard embeds these URLs as iframes, so they must be served over HTTPS with the correct CSP frame-ancestors header (see the checklist below).

Example of the integration fields as JSON:

{
  "extensionPoints": [
    {
      "target": "dashboard.main",
      "url": "https://app.example.com/orbit",
      "label": "My Plugin"
    }
  ],
  "oauth": {
    "scopes": ["product:list", "product:read", "order:read"],
    "redirectUrls": ["https://app.example.com/oauth/callback"]
  },
  "ui": {
    "menu": { "label": "My Plugin", "icon": "puzzle", "position": 50 }
  },
  "settingsSchema": [
    {
      "key": "api_mode",
      "type": "select",
      "title": "API mode",
      "description": "Which environment to sync with",
      "required": true,
      "options": ["live", "sandbox"]
    }
  ]
}

Request only the scopes you need

The scopes you list in oauth.scopes are what the merchant is asked to consent to at install. The granted set becomes your token's scopes claim and is enforced on every request: a token missing a required scope is rejected with HTTP 403.

Request the minimum that makes your plugin work. Over-requesting raises friction at the consent step and during review. If you later need more, ship a new version. See the Scopes guide and the full Scope Catalog.

Step 3 — Listing

Marketplace-facing detail.

Field	Purpose
`supportUrl`	Where merchants get help
`documentationUrl`	Your plugin's docs
`features[]`	Highlighted capabilities shown on the listing

supportUrl and documentationUrl are optional, but providing real, working links improves both review and merchant trust.

Step 4 — Review & submit

Review everything you entered, then submit. Submitting hands the plugin to Orbit for review before it is listed.

Configure pricing (if monetising)

If you charge for your plugin, configure pricing plans in the partner dashboard. Plans can be:

free — no charge
one_time — a single purchase
subscription — recurring billing

Your plugin reads and acts on the merchant's billing state at runtime through the SDK's billing client — for example orbit.billing.getStatus() to check entitlement, and orbit.billing.requestPurchase({ planId }) to open the dashboard payment modal. See the SDK guide for the full billing surface.

Submit for review and what to expect

After you submit, Orbit reviews the plugin before it appears on the marketplace. Review covers your manifest, the scopes you requested, and that your embedded app loads and behaves correctly.

To keep review smooth:

Make sure your extension point URLs load over HTTPS and embed cleanly in an iframe.
Request only the scopes your plugin actually uses.
Provide a working support URL and documentation URL.
Test a real install end to end before submitting.

Once reviewed, your plugin is listed and merchants can install it.

Versioning

Use semantic versioning (MAJOR.MINOR.PATCH, e.g. 1.0.0) for the version field.

PATCH (1.0.1) — backwards-compatible fixes.
MINOR (1.1.0) — backwards-compatible additions.
MAJOR (2.0.0) — breaking changes, including changes to the scopes you require.

If a new version requests additional scopes, merchants consent to the expanded set, so treat scope expansion as a significant change and document it in your release.

Pre-submission checklist

Before you hit submit, confirm:

Your app is served over HTTPS.
Your app sends the iframe CSP header: Content-Security-Policy: frame-ancestors 'self' https://*.orbitcommerce.net https://*.myorbitcommerce.net http://localhost:*.
oauth.scopes lists only the scopes you actually use (singular <resource>:<action> form).
Every extensionPoints[].url points at your hosted app and loads in an iframe (not localhost).
supportUrl and documentationUrl are real, working links.
You have tested a full install on a store: the plugin mounts, orbit.ready() resolves, and your core flows work.
version is a valid semver string.
Identity fields are within their length limits.

Next steps

Getting started — plugin architecture and your first build.
Scopes and the Scope Catalog — choose the right permissions.
SDK — runtime calls, billing, and iframe helpers.
API reference — full endpoint and schema detail.