HomeGuidesAPI Reference
ChangelogHelp CenterCommunityContact Us
Guides
ChangelogHelp CenterCommunityContact Us

Klaviyo app listing requirements

Klaviyo’s integrations directory is the central hub for Klaviyo customers to discover apps that will help achieve their growing business needs. Before submitting your app to be considered for the integrations directory, ensure that your app complies with our app listing requirements. Our requirements fall into the following categories:

  • Customer value
  • Ease of install and use
  • Seamless integration with Klaviyo
  • App listing information
  • App testing information
  • Security requirements
  • Legal requirements

Review each section below for detailed requirements. You may collapse each section as you confirm your app meets the necessary criteria.

Customer value

Accordion
  1. Your app has a website that outlines the app’s benefits to customers, including up-to-date visuals and a demo video.
  2. Your app has step-by-step supporting documentation covering setup instructions, data exchange between your app and Klaviyo, and guidance on achieving common use cases.
  3. Your app maintains uptime and reasonable Service Level Agreements (SLAs)
    • Your app must not have any frequent or unresolved customer support escalations.
    • Any performance, stability, and reliability issues must be addressed and resolved in a timely manner.
    • You must notify customers of any outages affecting your app or related products.

Ease of install and use

Accordion
  1. Your app must have at least 5 installs with API activity. (Note: Developer accounts or any accounts associated with your company do not count towards this requirement.)
  2. Your app must be quick and easy to install. We expect your app to be live and functional within minutes.
  3. Your app should support its main use cases with minimal manual effort from the customer.
  4. Your app does not require the customer to do any coding for basic use cases.
  5. The installation and configuration process should be intuitive, with a modern, high-quality user interface.

Seamless integration with Klaviyo

Accordion
  1. Your app uses OAuth authentication and uses the least permissive scope set possible.
  2. Your app uses stable APIs.
  3. Your app fully handles installation, uninstallation, and error scenarios in its OAuth flow.
  4. Your app’s settings URL directs to a Klaviyo specific integration settings page for your app.
  5. Where applicable, your app follows our guidelines to achieve branded app metrics.
  6. Your app performs as expected and described.
  7. Your app respects API rate limits to avoid unnecessary load in accordance with our API Terms of Use.
  8. Your app monitors for and handles errors reasonably. High error rates may result in being delisted.

App listing information

Accordion
  1. Your app listing has an accurate description of your app and how it provides customer value, beyond general product information.
  2. App listings should not imply endorsement by Klaviyo without formal, written approval:
    • Your app and any related documentation cannot suggest that it is Klaviyo’s “preferred”, “recommended”, “top performing”, “best”, etc. partner.
    • Your app should comply with all Klaviyo brand guidelines when using Klaviyo assets.
  3. Your app listing has information on how to contact customer support.
  4. Your app listing contains links to your app’s Terms of Service and Privacy Policy.
  5. Your app has high-quality demo and enablement material using factual information that does not expose any customer or user information.
  6. Your app must not directly connect merchants to service providers, agencies, developers, capital fundraising, or other restricted services referred to in Klaviyo's Acceptable Use Policy.

App testing information

As part of your app listing submission, you must complete our testing requirements template, for sharing your testing instructions with our reviewers. Submissions that only include general information about your app will not be considered.

Accordion
  1. A customer workflow that enumerates the steps needed to install and utilize your app. Steps on how to configure top use cases must be included.
  2. A list of API endpoints used along with their related use case(s) and scopes that your app needs to fulfill each use case.
  3. An architectural diagram illustrating the data flow between Klaviyo and your systems.
  4. A recorded demo of the use cases of your app.
  5. Testing details that allow our team to test your app’s OAuth flow, i.e., demo the end-to-end flow of data in or out of Klaviyo.

Security requirements

Accordion
  1. Data in transit:
    • Ensure all data transmitted between your app and our systems is encrypted using TLS 1.2 or higher.
    • Use strong recommended cipher suites - refer to the Mozilla SSL Configuration Generator for guidelines on disabling weak cipher suites. This tool provides recommended configurations for various web servers and helps ensure that only secure cipher suites are used.
    • Enforce the use of HTTPS for all API communication to ensure data encryption in transit.
  2. Data at rest:

    All sensitive data (e.g., passwords, financial information, PII, OAuth tokens) must be encrypted at rest using industry-standard algorithms (e.g., AES-256).

  3. Access, authentication, and authorization:
    • Your app must authenticate and authorize requests on exposed endpoints.
    • Your app must validate the application identity and integrity of the request.
    • Your app must validate tokens server-side to ensure that only permitted users can execute actions within an application.
    • Your app must have tokens that expire, and the application must reject expired tokens.
      • At a minimum, ensure that MFA is required to authenticate to your app's systems and resources used to process, store and/or transmit data.
      • Implement robust access controls (e.g., role-based access control) to limit access to data based on the application's specific needs.
      • Clearly state where user data will be stored and processed. If data is transferred outside the user's region, obtain explicit user consent and comply with relevant data transfer regulations (e.g., GDPR).
  4. OAuth credentials security:
    • Store OAuth credentials securely using industry best practices, a dedicated credential store with encryption (e.g., AWS/GCP Secrets Manager, Vault, etc.). Restrict access to credential store(s) to only those individuals required for proper operation.
    • Never hardcode OAuth client credentials within the application code. Always retrieve them from a secure secrets store (e.g. AWS/GCP Secrets Manager, Vault, etc.).
    • Request only the minimum set of API permissions necessary for the application's functionality.
    • Implement mechanisms for regular rotation of OAuth client credentials to mitigate the risk of compromise.
  5. API security:
    • Provide comprehensive and accurate API documentation that outlines available endpoints, authentication methods, and expected data formats.
    • Implement rate limiting on API calls to prevent abuse attacks.
    • Validate and sanitize all user input received through the API to prevent malicious code injection attacks (e.g., SQL injection, XSS).
    • Implement secure error handling practices to avoid exposing sensitive information in error messages.
    • Logging and auditing:
      • Implement logging mechanisms that capture detailed records of activities, including login attempts, data access, changes, deletions, API calls, etc.
      • Securely store logs in a tamper-evident manner to prevent unauthorized access or modifications.
      • Logs must be retained for a minimum of 365 days.
      • Ensure real-time monitoring of log data to detect and alert on suspicious or anomalous activities.
  6. Application security:
    • The third-party application must validate and sanitize all untrusted data and treat all user input as unsafe.
    • The third-party application must not use versions of third-party libraries and dependencies with known critical or high vulnerabilities. When vulnerabilities in these libraries and dependencies are discovered, application developers must remediate vulnerabilities in 3 and 7 days respectively.

Legal requirements

Accordion
  1. Apps must pass our security review.
  2. Information about your company, app, and use case(s) must be true and complete at the time of submission.
  3. You must submit an app registration form and, as part of that, agree to the following terms:

Updated 15 days ago

Power smarter
digital relationships
By entering your information and clicking “Sign up,” you consent to receive marketing emails (such as newsletters, blog posts, webinars, event invitations and new product updates) from Klaviyo from time to time. You can unsubscribe at any time by clicking on the “Unsubscribe” link at the bottom of our emails. For more information on how we process your personal information and what rights you have in this respect, please see our Privacy Policy.
Terms and Privacy Trademarks Security