Create your production app

To create a SecurityScorecard app you only need one thing: an app manifest.

The App Manifest

This is an internet-facing json document in a permanent url, that describes your app.

Here's a basic example you can use as template:

 "name": "Your Application Name", // must be unique
 "namespace": "your_app_namespace",
 "description": {
   "short": "this is the description of your app",
   "long": "this is the long description of your app, visible on the details page"
 "display_settings": {
   "primary_color": "#000000", // in hexadecimal value
   "secondary_color": "#FFFFFF",
   "icon": "url to a Xpx by Xpx image",
  // note that if a url is relative, is resolved based on the url of this manifest
   "logo_url": "url to a Xpx by Xpx image",
  // hero image to show in the marketplace app page, 
  // typically a screenshot of animated gif showing a preview of this app in action 
  // this can also be a youtube video to embed
   "hero_images": [
       "text": "a brief description",
       "url": "url to the image/gif or video"
   "homepage_url": "",
   "help_url": ""
 // company/site associated to the maintainer of this app
 "developer": {
   "name": "Security Scorecard",
   "website_url": "",
   "privacy_url": "",
   "terms_of_use_url": ""

Note: for guidelines on how to define the copy, logo and other metadata above, see our Design Guidelines.

Once you have your manifest exposed in a public permanent url you can do a first install by calling this endpoint:

curl -X POST \ \
  -H 'content-type: application/json'
  -H 'authorization: Token <your API key>'
  --data '{"url":""}'


Your app is created and will be listed in the Marketplace only for you (for the user associated to the used API key). Your app is still private, but you can invite other developers to install it using the method above.

You can also invite other teammates to install this app using an invite url. Your app invite url is simple its url in the marketplace adding /authorize at the end. For example:

Whenever any user installs your app (including yourself), SecurityScorecard will fetch your app manifest to look for any changes. This makes it seamless to publish updates. But beware some breaking changes (eg. new API scopes required) will require users to re-install your app.

What’s Next

At this point, you can start describing your app, and testing how it looks in the marketplace, but it doesn't do much. Let's start adding some functionality.