Salesforce ISV Guide
AppExchange Listing Checklist
From Code to Listed — Step by Step
I listed Delivery Hub on the Salesforce AppExchange. It took longer than I expected, taught me more than any Trailhead module, and gave me a checklist I wish someone had handed me on day one. Here it is.
Pre-Development Planning
Join the Salesforce Partner Program
CriticalSign up at partners.salesforce.com. You need a partner org (free) and access to the AppExchange Publishing Console. This takes 1-2 business days to activate.
Choose your package type
Managed packages are the standard for AppExchange. They protect your IP, support upgrades, and enable licensing. Unlocked packages are an alternative but have limitations for commercial distribution.
Plan your namespace
CriticalRegister a namespace prefix in your packaging org. This prefix will be permanently attached to all your custom objects, fields, classes, and components. Choose carefully — it cannot be changed later.
Define your target audience
Sales Cloud users? Service Cloud? Platform users? Your target audience affects your metadata design, permission set structure, and marketing copy.
Development & Packaging
Build in a packaging org or use 2GP
First-generation managed packages (1GP) are built in a dedicated packaging org. Second-generation packages (2GP) use Salesforce CLI and source control. 2GP is the future but 1GP is still widely used.
Create Permission Sets (not Profiles)
CriticalAppExchange apps must use Permission Sets, not custom Profiles. Create a permission set for each user persona (admin, standard user, read-only). Include object permissions, field-level security, and Apex class access.
Add Custom Settings or Custom Metadata Types for config
Avoid hardcoding org-specific values. Use Custom Metadata Types for configuration that admins can modify. Custom Settings work too but CMDTs are the modern approach and deploy via metadata API.
Write Apex tests with 75%+ coverage
CriticalSalesforce requires 75% minimum Apex code coverage, but aim for 90%+ for security review. Cover positive cases, negative cases, bulk scenarios, and governor limit edge cases.
Add error handling and governor limit protection
Security review will reject apps that hit governor limits in common scenarios. Use Limits class checks, batch/queueable for bulk operations, and graceful error messages for end users.
Implement CRUD and FLS checks
CriticalEvery Apex operation that creates, reads, updates, or deletes records must check user permissions. Use Schema.SObjectType methods or WITH SECURITY_ENFORCED in SOQL. Security review will fail without this.
Security Review Preparation
Run the Salesforce Code Analyzer (formerly PMD)
CriticalInstall Salesforce Code Analyzer via CLI: `sf plugins install @salesforce/sfdx-scanner`. Run it against your entire codebase. Fix all Critical and High severity issues. Medium issues can block review too.
Eliminate SOQL/DML inside loops
CriticalThis is the #1 reason security reviews fail. Bulkify all operations. Query outside loops, process collections, and DML outside loops.
Remove hardcoded IDs and org-specific references
No hardcoded record IDs, org IDs, or instance URLs. Use Custom Metadata, Custom Labels, or dynamic queries. Security review scanners flag these automatically.
Handle XSS in Visualforce and Lightning components
Use JSENCODE, HTMLENCODE, and URLENCODE in Visualforce. In LWC, the framework handles most XSS protection, but watch for innerHTML and third-party libraries.
Document your architecture
Security review requires a technical architecture document: data model diagram, integration points, authentication flows, and any external callouts. Keep it clear and comprehensive.
Schedule the security review early
CriticalSecurity review takes 4-8 weeks on average. Schedule it well before your target launch date. First submissions have a higher rejection rate — budget time for a second round.
Listing & Marketing Assets
Write a compelling listing description
Lead with the problem you solve, not features. Include specific use cases, target personas, and integration points. Use bullet points for scanability. Keep it under 4,000 characters.
Create 3-5 screenshots (1024x768 minimum)
CriticalShow the app in action on realistic data. Include the main dashboard, key workflows, and configuration screens. Annotate with callouts for key features. No placeholder data — use demo org data.
Record a demo video (2-3 minutes)
A short video dramatically increases listing conversion. Walk through the primary use case end-to-end. Keep it under 3 minutes. Host on YouTube or Vimeo.
Set up your pricing model
Choose between free, freemium, per-user/month, or flat monthly. Research competitor pricing. Consider a free trial to reduce friction. Salesforce takes a revenue share on paid listings.
Prepare installation documentation
Create a setup guide covering: installation steps, permission set assignment, initial configuration, and a quick-start walkthrough. Include screenshots. Link it from your listing.
Create a support page
AppExchange requires a support URL. Set up a page with contact info, FAQ, known issues, and release notes. This is a trust signal for potential customers.
Submission & Post-Launch
Submit for AppExchange review
Upload your managed package version, listing content, and screenshots to the Publishing Console. Double-check that all metadata, descriptions, and links are correct before submitting.
Respond to review feedback quickly
If the review team requests changes, respond within 3-5 business days to keep your place in the queue. Most feedback is about security patterns — have your developer ready to fix and resubmit.
Plan your launch promotion
Announce on LinkedIn, Salesforce community forums, and Trailblazer Community. Write a blog post. Reach out to Salesforce MVPs and consultants in your target vertical.
Monitor reviews and support requests
Respond to every AppExchange review, positive or negative. Fast support response dramatically improves your listing rating and conversion.
Plan your upgrade path
Managed packages support push upgrades for bug fixes and pull upgrades for major versions. Plan your versioning strategy. Test upgrades in a scratch org before pushing to customers.
Lessons from Listing Delivery Hub
Delivery Hub is a Salesforce-native project management app I built as a solo developer at Cloud Nimbus LLC. Getting it through security review taught me that the review process tests real-world scenarios, not just code coverage numbers.
The biggest time sink was CRUD/FLS enforcement. Every SOQL query and every DML operation needed explicit permission checks. The second biggest was bulkification — the review team tests with 200+ record batches and watches for governor limit hits.
My advice: run the Salesforce Code Analyzer before your first submission. Fix everything it flags. It catches 80% of what the security review catches, and you can iterate locally instead of waiting weeks for human review feedback.
Need Help Getting Listed?
I offer consulting for Salesforce ISVs going through the AppExchange listing process. Architecture review, security review preparation, packaging strategy, and hands-on help with the submission.
Frequently Asked Questions
How much does it cost to list on the AppExchange?
+
Joining the Salesforce Partner Program is free. There is no listing fee. However, Salesforce takes a 15-25% revenue share on paid app subscriptions sold through the AppExchange. The exact percentage depends on your partner tier and agreement terms. Security review does not have a separate fee but the engineering time investment is significant.
How long does the AppExchange security review take?
+
The security review typically takes 4-8 weeks from submission. First-time submissions often get rejected and require a second round, adding another 2-4 weeks. The most common rejection reasons are: missing CRUD/FLS checks, SOQL inside loops, hardcoded IDs, and insufficient test coverage. Prepare thoroughly to minimize back-and-forth.
Can I list a free app on the AppExchange?
+
Yes. Many apps on the AppExchange are free — either fully free or freemium (free base + paid premium features). Free apps still need to pass the security review. Listing a free version is a common strategy to build install base and reviews before introducing paid features.
What is the difference between 1GP and 2GP managed packages?
+
First-generation packages (1GP) are built in a dedicated packaging org using the UI. Second-generation packages (2GP) are built using Salesforce CLI and source control, enabling CI/CD pipelines. 2GP supports scratch org development, versioned dependencies, and better source tracking. Salesforce is investing in 2GP as the future of packaging, but 1GP is still fully supported.
Do I need a separate org to build an AppExchange app?
+
For 1GP, yes — you need a dedicated packaging org (also called a Developer Edition org registered as a partner). For 2GP, you develop in scratch orgs and the package is created in your Dev Hub. Either way, never build your package in a production org.
Get Glen’s Updates
Investing insights, new tools, and whatever I’m building this week. Free. No spam.
Unsubscribe anytime. I respect your inbox more than Congress respects property rights.
Keep Exploring
Aura to LWC Migration Guide
Step-by-step guide to migrating Salesforce Aura components to LWC.
Read moreComparisonBest Salesforce PM App
Comparison of project management tools for Salesforce teams.
Read moreSalesforce Hub
Mistakes, tools, and tips from 10+ years of Salesforce development.
Read moreSalesforce Graveyard
50 mistakes I made so you don't have to.
Read moreConsulting
Salesforce development, AppExchange, and LWC consulting.
Read moreGlen Bradford's Story
From Purdue engineering to hedge fund to Salesforce ISV.
Read more