What is HubSpot app certification, and how is it different from listing?

Listing gets your app into the Marketplace; certification is a quality review on top of it. The HubSpot Ecosystem Quality team reviews a listed app against security, privacy, reliability, performance, usability, accessibility, and value requirements. Passing earns the HubSpot Certified App badge, the certified search filter, and eligibility for curated collections.

What are the hard numbers for certification?

At least 60 active installs from production accounts unaffiliated with your organization, an average API success rate above 95% across all app activity, at least six months listed in the Marketplace, and no certification rejection in the prior six months. Certification then renews on a two-year cycle.

How long does the certification review take?

HubSpot responds to certification requests within 10 business days, and the full review-and-feedback process is bounded at 60 days from the time feedback is shared. Only one app can be in review at a time, and a demo video is mandatory or the review will not start.

Does certification cost anything?

No. There is no fee to list or certify, and no revenue share. The cost is operational: meeting the install, reliability, and documentation bars, and renewing every two years.

What gets apps rejected most?

The published feedback examples cluster around reliability and scope hygiene: success rates dragged under 95% by 429 bursts and expired-token 401s, requesting scopes the app never uses, pulling records one at a time instead of batching, and listings or setup docs that drifted from what the app actually does.

Guides · Grow

Certification

Certification is the badge program on top of your listing: HubSpot's Ecosystem Quality team audits how your app actually behaves in production — success rates, scope hygiene, token handling, documentation truth — and renews that judgment every two years. Most of what it measures is exactly the plumbing HS-X's runtime already owns, which makes the audit far less scary than it reads.

Outcome: A clear picture of what the review measures, the hard thresholds, and which requirements your runtime already carries versus the ones only you can earn.
Prerequisites: A listed marketplace app (see the marketplace guide for the listing review itself)
Patience: six months listed and 60 active installs are prerequisites, not outcomes of the review

TL;DR — Certification requires 60 active unaffiliated installs, a 95%+ API success rate, six months listed, OAuth-only auth, and a demo video that shows the uninstall flow. The review loop is bounded at 60 days and the badge renews every two years. HS-X's runtime carries the reliability half of the bar; the installs and documentation are yours.

A production audit, not a code review

The listing review asks whether your app is presentable. Certification asks whether it behaves: HubSpot reads your app's actual API activity over trailing windows and grades it. Requests that 429 because you ignored rate limits, 401s from tokens you let expire before refreshing, one-at-a-time reads where a batch endpoint exists — each drags a measured success rate that must stay above 95%, and the published feedback examples show reviewers citing your error logs back at you with specific status codes.

That is why the prerequisites are time-shaped. Six months listed and 60 active installs are not bureaucracy; they are the sample size the audit needs. Plan certification as a season-two goal: ship, grow installs, keep the error rate clean, then apply.

The requirements that decide it

Requirement	The line
Active installs	60+ production accounts, unaffiliated with you, showing app activity in the last 30 days
API success rate	Above 95% across all activity; error responses count against you
Time listed	6 months minimum, and no certification rejection in the last 6 months
Auth	OAuth authorization-code flow only; no copy-pasted tokens, refresh without user involvement
Scopes	Every requested scope must be used; one-segment-only scopes move to conditional or optional
Identity	One app ID, one listing; verified domain; no classic CRM cards
Uninstall	Call HubSpot's uninstall endpoint when a user disconnects on your side, and show it in the demo video
Documentation	Public, current setup guide with screenshots including the scope-approval screen
Renewal	Two-year cycle; reminders start 90 days out; lapse removes the badge

The demo video is a gate, not a nicety: HubSpot will not start the review without one, and it must show a user disconnecting, the uninstall endpoint firing, and the app disappearing from the portal's connected apps.

What your runtime already carries

Read the rejection examples and a pattern emerges: most failures are plumbing, and the plumbing is what HS-X owns in your own Cloudflare account. The runtime's rate limiter paces requests inside HubSpot's published budget so bursts do not become 429 streaks. Token refresh happens proactively under a per-install lock, which is the exact fix for the expired-token 401 pattern reviewers cite. Sync writes batch into HubSpot's batch endpoints, the precise recommendation in the one-at-a-time feedback example. And uninstall detection in the runtime stops activity against portals that removed you, so a dead install does not sit there generating errors against your success rate.

What stays on your plate: declaring only the scopes you use (the review reads your traffic and will name unused ones), the uninstall-endpoint call in your own disconnect flow, the demo video, the setup documentation, and earning the installs themselves. The marketplace guide covers the listing half; monitoring covers watching your own error rates before HubSpot grades them.

Applying, and staying certified

One app at a time, demo video attached. HubSpot responds within 10 business days, and the whole feedback loop is bounded at 60 days. Pass, and the badge plus the certified search filter and collection eligibility turn on. Fail, and you can reapply in six months, so go in ready rather than hopeful.

Certification is now a two-year cycle rather than a permanent state: reminders begin 90 days before expiry, the developer account tracks status and renewal, and falling out of compliance can trigger recertification early. Treat the requirements as operating standards, not a one-time exam, and renewal becomes paperwork instead of a scramble.

Where next