What Stripe's App Review Actually Looks Like From the Inside
I built an AI-powered payment recovery app and submitted it to Stripe's App Marketplace. Here's what their review team flagged, what I had to fix, and what I wish someone had told me before I started.
Most developers who build on Stripe never go through their App Marketplace review. They use the API, maybe Connect, and that's it. I built a full Stripe app — Reclaim, an AI-powered payment recovery tool — and submitted it for review.
This is what actually happened.
What Reclaim does
When a subscription payment fails on Stripe, most merchants either do nothing or send a generic "please update your card" email. Reclaim does three things differently:
- It classifies the decline code to understand why the payment failed (expired card is different from insufficient funds is different from a bank-level block)
- It uses the Claude API to generate a recovery email that matches the specific failure reason and the merchant's tone
- It schedules retry attempts based on the failure type — because retrying an expired card immediately is pointless, but retrying insufficient funds in 3 days often works
The OAuth implementation they actually check
The first thing Stripe's review team looked at was OAuth. Not "does it work" — they checked the specific implementation details.
They wanted to see that I was handling the full OAuth 2.0 flow with PKCE. They verified that tokens were being stored securely, not in local storage or cookies. They checked that my app handled token refresh correctly and that deauthorization worked — when a merchant disconnects your app, you need to clean up immediately.
This took me longer than the actual AI features to get right.
Webhook security is non-negotiable
Stripe verifies that you're validating webhook signatures on every event. Not some events — every single one. They also check that you handle duplicate events idempotently, because Stripe will retry failed webhook deliveries.
I had a bug where my webhook handler would occasionally process the same event twice, creating duplicate recovery emails. The review caught it. I had to add idempotency keys to my processing pipeline.
Error handling they specifically look for
The review checks what happens when things go wrong. What does your app do when:
- The Stripe API returns a rate limit error?
- A webhook delivery fails?
- Your app can't reach your own backend?
- A merchant's subscription is in a weird state?
I had to add retry logic with exponential backoff for API calls and make sure my UI showed meaningful error states instead of blank screens.
What I'd tell someone building a Stripe app today
Start with OAuth. It's the most annoying part and it gates everything else. Get it working perfectly before you build any features.
Use Stripe's test clock feature. It lets you simulate time passing so you can test subscription lifecycle events without waiting days. I wish I'd found this earlier — I spent my first week manually creating and canceling subscriptions.
Read the app review checklist before you write any code. Stripe publishes what they check. I didn't read it until I was almost done, and I had to go back and retrofit several things.
Keep your app's permissions minimal. Request only the Stripe scopes you actually need. The review team will ask why you need each one.
The review takes about two weeks. Plan for at least one round of feedback. My first submission came back with five items to fix. Second submission was approved.
The Claude API integration
The AI part was actually the smoothest part of the build. I use Claude to analyze decline codes in context and generate recovery emails. The key decision was using structured outputs — I send Claude the decline code, customer history, and merchant preferences, and it returns a structured response with the email subject, body, and recommended retry timing.
This means the AI output is predictable and parseable, not a blob of text I have to hope is formatted correctly.
Was it worth it?
Building a Stripe Marketplace app is significantly harder than just using their API. The review process is thorough — closer to Apple's App Store review than a typical API integration.
But being in the Stripe Marketplace means merchants find you where they already work. They don't need to leave their Stripe Dashboard. The trust signal of "Stripe reviewed and approved this" is real.
If you're building something that genuinely adds value to Stripe merchants, it's worth the extra effort. Just don't underestimate the engineering work around OAuth, webhooks, and error handling. The AI was the easy part.
Reclaim is live on the Stripe App Marketplace. If you're losing revenue to failed payments, it's worth a look.