Implementing Marketplace Plugins/Integrations for SaaS Applications
A plugin marketplace transforms a product into a platform: partners create integrations, users install what they need. Atlassian Marketplace, Shopify App Store, Figma Plugins — all examples.
Architecture: Two Types of Extensions
Server-side integrations — OAuth applications that interact with your API on behalf of the user. A third-party service (e.g., Zapier or n8n) authorizes and calls your API.
Client-side plugins — JavaScript code executed in an iframe or Web Worker on the client side. Figma Plugin Model — an example.
Plugin Registry
model Plugin {
id String @id @default(cuid())
slug String @unique
name String
description String @db.Text
author String
authorUrl String?
iconUrl String?
category PluginCategory
installCount Int @default(0)
rating Float?
isVerified Boolean @default(false)
isPublished Boolean @default(false)
// For server-side: OAuth credentials
clientId String? @unique
clientSecret String? // encrypted
// Manifest
permissions String[] // ['read:projects', 'write:tasks']
webhookUrl String?
oauthConfig Json?
installations PluginInstallation[]
reviews PluginReview[]
}
model PluginInstallation {
id String @id @default(cuid())
pluginId String
tenantId String
installedAt DateTime @default(now())
config Json? // installation-specific settings
accessToken String? // OAuth token for the plugin
plugin Plugin @relation(fields: [pluginId], references: [id])
tenant Tenant @relation(fields: [tenantId], references: [id])
@@unique([pluginId, tenantId])
}
Plugin Installation Process
// OAuth flow for server-side plugin installation
export async function initiatePluginInstall(
tenantId: string,
pluginSlug: string
): Promise<string> {
const plugin = await db.plugin.findUniqueOrThrow({
where: { slug: pluginSlug }
});
// Generate state for CSRF protection
const state = await generateState({
tenantId,
pluginId: plugin.id,
action: 'install',
});
// Redirect to plugin OAuth provider
const authUrl = new URL(plugin.oauthConfig?.authorizationUrl as string);
authUrl.searchParams.set('client_id', plugin.clientId!);
authUrl.searchParams.set('redirect_uri', `${process.env.APP_URL}/marketplace/callback`);
authUrl.searchParams.set('scope', plugin.permissions.join(' '));
authUrl.searchParams.set('state', state);
authUrl.searchParams.set('response_type', 'code');
return authUrl.toString();
}
// Callback after OAuth authorization
export async function completePluginInstall(
code: string,
state: string
): Promise<void> {
const { tenantId, pluginId } = await verifyState(state);
const plugin = await db.plugin.findUniqueOrThrow({
where: { id: pluginId }
});
// Exchange code for token
const tokenResponse = await fetch(plugin.oauthConfig?.tokenUrl as string, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
code,
client_id: plugin.clientId,
client_secret: decryptToken(plugin.clientSecret!),
redirect_uri: `${process.env.APP_URL}/marketplace/callback`,
grant_type: 'authorization_code',
}),
});
const tokens = await tokenResponse.json();
await db.pluginInstallation.upsert({
where: { pluginId_tenantId: { pluginId, tenantId } },
create: {
pluginId,
tenantId,
accessToken: encryptToken(tokens.access_token),
},
update: {
accessToken: encryptToken(tokens.access_token),
}
});
// Notify plugin about installation
if (plugin.webhookUrl) {
await fetch(plugin.webhookUrl, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
event: 'plugin.installed',
tenantId,
timestamp: new Date().toISOString(),
}),
});
}
await db.plugin.update({
where: { id: pluginId },
data: { installCount: { increment: 1 } }
});
}
API for Plugin Developers
// Plugins interact through OAuth-authorized API requests
// app/api/v1/[...]/route.ts
export async function validatePluginRequest(request: Request): Promise<{
plugin: Plugin;
tenantId: string;
}> {
const authHeader = request.headers.get('Authorization');
if (!authHeader?.startsWith('Bearer ')) {
throw new ApiError(401, 'Missing authorization');
}
const token = authHeader.slice(7);
// Verify token
const installation = await db.pluginInstallation.findFirst({
where: {
// In reality: verify JWT or search by token hash
accessToken: encryptToken(token),
},
include: { plugin: true }
});
if (!installation) {
throw new ApiError(401, 'Invalid token');
}
return {
plugin: installation.plugin,
tenantId: installation.tenantId,
};
}
Marketplace UI
// app/marketplace/page.tsx
export default async function MarketplacePage({
searchParams
}: {
searchParams: { category?: string; q?: string }
}) {
const plugins = await db.plugin.findMany({
where: {
isPublished: true,
...(searchParams.category ? { category: searchParams.category as PluginCategory } : {}),
...(searchParams.q ? {
OR: [
{ name: { contains: searchParams.q, mode: 'insensitive' } },
{ description: { contains: searchParams.q, mode: 'insensitive' } },
]
} : {}),
},
orderBy: { installCount: 'desc' },
});
const tenant = await getCurrentTenant();
const installedPluginIds = new Set(
(await db.pluginInstallation.findMany({
where: { tenantId: tenant!.id },
select: { pluginId: true },
})).map(i => i.pluginId)
);
return (
<div>
<MarketplaceSearch />
<CategoryFilter />
<PluginGrid
plugins={plugins}
installedIds={installedPluginIds}
/>
</div>
);
}
Plugin marketplace development with OAuth installation and developer API — 8–14 business days.