Skip to content
Blog

How to Launch Your Salesforce App on the AppExchange

Jump to
Heading 2
Unlock Growth with
the Right RevOps Help
Candybox is the strategist and operator partner who’ll align your GTM systems to scale.
Let's chat
Share this post

If you’re launching an app on the AppExchange for the first time, the biggest challenge is  understanding the process.

Salesforce documentation explains individual steps well, but it doesn’t provide a clear end-to-end picture: which orgs you actually need, how packaging decisions affect downstream steps, how reviews are sequenced, or where teams tend to lose time.

We recently went through this entire process ourselves, from namespace setup and scratch orgs to security review and publishing. This guide is a practical walkthrough of what mattered, what slowed us down, and what we’d do differently next time.

Start With the Right Conceptual Decisions

A few early decisions shape everything that follows. Getting these clear up front avoids rework later.

Target Cloud

Decide which Salesforce cloud your app supports (Sales, Service, Revenue Cloud/CPQ, etc.). This affects both technical setup and how Salesforce evaluates your listing.

Required Sales Edition

Be explicit about which editions your app supports (Professional, Enterprise, Unlimited). Over-restricting reduces adoption; under-restricting increases support risk.

Target User Persona

Define who the app is built for:

  • Admins
  • Architects
  • Ops / RevOps
  • End users (sales, service, CS)

This directly influences listing copy, screenshots, and how the app is positioned during review.

Business Model

Free or paid. This matters later for review sequencing and fees.

The Org Setup (Why You Actually Need Each One)

Most first-time ISVs underestimate the number of Salesforce orgs involved. Each has a specific role.

Partner Business Org (PBO)

Your primary partner org. Required to participate in the AppExchange and access the Partner Community.

Dev Hub Org

Where your namespace is managed and where second-generation managed packages live. This can be your PBO or a separate production org.

Developer Org

Used to create the namespace initially. You’ll also need a developer org with the app installed during security review.

Scratch Orgs

Temporary, configurable environments used for development, testing, and packaging. Required for 2GP workflows.

Packaging Org

If you’re using 2GP, this is effectively your Dev Hub.

Packaging note:

  • 1GP is legacy, org-based, and UI-driven
  • 2GP is source-driven, CLI-based, and far more flexible

For new apps, 2GP is almost always the right choice.

Development & Packaging Flow (High Level)

Once orgs and settings are in place, the process is straightforward:

  1. Apply for a Partner Business Org
  2. Enable Dev Hub
  3. Enable Unlocked Packages and 2GP
  4. Create and register your namespace
  5. Build and test the app
  6. Create a scratch org with minimal required config
  7. Verify all required components are present
  8. Create a package via CLI (beta version)
  9. Complete beta testing
  10. Promote the package
  11. Production installs are now supported

Creating the AppExchange Listing

From the Partner Community:

  • Create a listing in Publishing
  • Connect your Dev Hub org under Technologies
  • Your packages appear automatically under Solutions
  • Complete listing content and metadata

This is also where review sequencing becomes important.

Business Review vs Security Review (Sequence Matters)

If your app is free, submit the Business Review first.

Once approved, Salesforce provides a Security Review voucher, reducing the fee to $1 (Stripe does not allow $0 charges).

Recommended sequence for free apps:

  1. Create listing
  2. Submit Business Review
  3. Receive voucher
  4. Submit Security Review

Submitting security first still works but costs more.

Security Review: What It Actually Involves

Security review requires:

  • A UAT environment
  • Static code scans in your dev environment
  • Checkmarx scans via the Partner Security Portal
  • Documentation of false positives

For lower-risk apps, the process is generally manageable. Our review completed in under a week with minimal back-and-forth.

Managed Package Consideration: Logging Matters

Managed packages hide code to protect IP. That also means you can’t debug issues directly in customer orgs.

Build logging into the app from the start. Even basic error and event logging makes post-install troubleshooting significantly easier.

Where the Time Really Goes

For first-time publishers:

  • Most effort goes into understanding the process
  • Execution is relatively fast once the path is clear
  • Security prep (scans, documentation) is the largest non-development task

Once you’ve done this once, future launches are far more predictable.

Final Thoughts

Publishing on the AppExchange is less about complexity and more about alignment with Salesforce’s packaging and review model.

With the right setup, correct review sequencing, and reasonable security preparation, the process is approachable and repeatable.

If you’re planning an AppExchange launch and want a second set of eyes on packaging, security prep, or listing strategy, this is the kind of work we help teams think through every day.

In case you're interested, below is our founder's presentation on this same topic.

FAQs

No items found.

Smarter systems. Smoother processes. Real growth.

The right RevOps support helps you move faster. Cleaner handoffs, better data, and a GTM engine that actually scales.

Get a free taste

Read more articles

Solving Salesforce Technical Debt in Growth-Stage SaaS: What to Fix and Why It Matters

Best Practices
Best Practices
Read more

The Ultimate Guide to SaaS KPIs: Finance, Marketing, Sales, CS and More

RevOps
RevOps
Read more
See all posts

View more episodes

From Admin to Architect: Dee Hamori on Building Remote Salesforce Careers

Go to episode

Bridging the GTM Gap: How Bennet Simonton Aligns Sales, Ops, and the Tech Stack

Go to episode
See all episodes