Operator integrations vs partner integrations
There are two ways to connect to the Stora API:| Operator integration | Partner integration | |
|---|---|---|
| Who builds it | The operator (or their developer) | A third-party company |
| Auth flow | Access Token or Client Credentials | Authorization Code (required) |
| Scope | Single operator’s data | Multiple operators, each authorising independently |
| Setup | Manage a connected operator account in the Developer Portal | Create and submit a partner app in the Developer Portal |
| Example | Internal reporting dashboard, custom booking widget | Smart entry provider, CRM connector, accounting sync |
How the partner programme works
Create a partner app
Use the Developer Portal to create a partner application for your integration.
Develop and test
Use test operators in the Developer Portal while you build your integration with the Authorization Code flow. Test applications can be used with your test operators, or with real operators that accept an application invitation.
Prepare your listing
Manage your partner application listing for
marketplace.stora.co in the Developer Portal.Submit for review
Submit your application approval request when your integration is ready. Before you submit, use the partner approval checklist to review scopes, External Events, error handling, connection lifecycle, and operator-facing behavior.
Technical requirements
These apply to all partner integrations. Meeting them is part of the review process.Naming and presentation
Your integration must use a distinct product name and must not imply that Stora built, owns, operates, or endorses it. If you’re distributing a plugin, extension, or packaged integration, follow the third-party plugin naming rules before you publish.Authentication
- You must use the OAuth 2.0 Authorization Code flow. No other flow is accepted for partner integrations.
- Handle token refresh correctly — access tokens expire after 2 hours.
- Never ask operators to share or copy-paste credentials. Your integration should handle the OAuth flow end-to-end.
- If you’re distributing your integration as code that runs outside infrastructure you control (WordPress plugin, browser extension, client-side app extension, packaged on-premise tool, etc.), follow the broker pattern — PKCE alone is not sufficient for multi-tenant distribution.
Identify the connected operator
UseGET /oauth2/token/info with the current access token to inspect the connected account and granted scopes.
Your integration must display the returned operator.name in your app. A single Stora staff member can have access to multiple operators, so they need to know which operator account is connected.
Use the returned scopes to check whether the current token includes the permissions your integration needs. If a newly added feature requires scopes that are missing, prompt the operator to reconnect through the Authorization Code flow so they can re-authorise the expanded scopes.
Disconnect and reconnect
Your integration must expose operator-facing Disconnect and Reconnect actions in its UI. Operators expect to manage the connection from inside the product they installed.- Disconnect must call
POST /oauth2/revokewith a valid token and your OAuth client credentials, then discard the locally stored tokens. Passing either the access token or the refresh token revokes the pair — one call is enough. - Reconnect is re-running the Authorization Code flow. Expose it in the UI even while the current tokens are still valid, so operators can re-grant expanded scopes or switch Stora accounts without uninstalling.
- On uninstall or deprovisioning, your integration must automatically revoke tokens and discard local state. For distributed plugins, wire the same revoke-and-discard into the host’s uninstall hook. For hosted marketplace apps, use the platform’s deprovisioning webhook, such as Shopify’s
app/uninstalledwebhook. These hooks are best-effort; treat them as a hygiene layer on top of the explicit Disconnect action, not a replacement for it.
400 or 401 from the token endpoint), surface a clear “reconnect” prompt to the operator.
For plugin-distributed integrations, see Disconnecting and reconnecting in the broker guide for the broker-side responsibilities.
External Events
When your integration takes an action in Stora on behalf of an operator, it must be visible to them. You’re required to create Timeline Events for actions originating on your platform. For example:- “Unit locked via YourApp”
- “Customer contacted via YourApp”
Rate limits
Standard rate limits apply (10 requests/second, 60 requests/minute) per operator, shared with their other API usage. Strategic partners may negotiate independent higher limits for operators using their integration. Your integration must implement backoff when receiving429 responses — see rate limiting.
Idempotency
UseIdempotency-Key headers on all POST requests to prevent duplicate operations. See idempotent requests.
Error handling
Handle all documented error codes gracefully. Do not retry indefinitely on4xx errors.
Metadata
Use themetadata field to store your own references on supported resources (contacts, orders, tasks, notes, webhook endpoints) rather than maintaining external mapping tables.