Developer Marketplace

Source: ai-research/ghl-2026-05-01/support-solutions-articles-155000000136-how-to-get-started-with-the-developer-s-marketplace.md, ai-research/ghl-2026-05-01/support-solutions-articles-155000002458-how-to-manage-developer-user-accounts.md, ai-research/ghl-2026-05-01/support-solutions-articles-155000002545-enhanced-account-security.md

The Developer Marketplace at marketplace.gohighlevel.com is the home for everything related to building and shipping HighLevel apps — registering an app, configuring OAuth, defining scopes, picking a distribution model, setting pricing, and submitting for review. This article is the lap-around: the marketplace surface, how developer accounts work, the auto-created developer flow for agency admins, and the role-based access controls for team members. For the OAuth handshake itself see OAuth 2.0; for listing and distribution choices see Marketplace App Listing.

Key Takeaways

• The Developer Marketplace is the developer-facing surface inside HighLevel where apps are registered, OAuth credentials are issued, scopes are picked, and the listing + pricing are configured before submitting for review.
• Two access levels for OAuth apps: Location Level (per sub-account) and Agency Level (company-wide). The choice affects which scopes you can use and which token type the OAuth flow returns.
• Apps are Public (listed in the marketplace, anyone can install) or Private (invite-only, capped at 5 agencies until you publish or pass security review).
• An agency admin who clicks “Sell on Marketplace” without an existing developer account gets one auto-created in the background — the system creates a developer profile from the existing account, then prompts password + terms + email OTP to finish activation.
• Developer accounts use Role-Based Access Control with three roles: Owner (one per account, full access, cannot transfer), Admin (manages other Admins/Users, cannot modify Owner), User (limited — view apps, manage apps, submit for review; cannot delete apps, view earnings, or manage users).
• Enhanced Account Security has been the default since June 17, 2024. It disables auto-generation of location API keys, hides API keys from the Location CRUD API responses, and disables user CRUD via the legacy v1 API. Opt-out is possible in agency Settings but strongly discouraged.

What the Marketplace Gives You

When you sign up for a developer account at marketplace.gohighlevel.com and click “Create App,” you get:

• An App ID — unique identifier shown under the app name in the developer dashboard
• A Client ID and Client Secret for OAuth — generated when you create client credentials
• Scope configuration — pick from the list at marketplace.gohighlevel.com/docs/Authorization/Scopes
• Webhook URL configuration — your POST endpoint that receives event payloads
• Redirect URI configuration — where HighLevel sends users after they authorize the app
• Pricing setup, listing controls, distribution model, support links, app profile

App Type: Public vs Private

Type	Visibility	Install	Use Case
Public	Listed in the Marketplace	Any agency or sub-account with permission	Apps you want to sell or distribute broadly
Private	Not listed; invite-only	Capped at 5 agencies until you go Public or pass Security Review	Internal tools, pilot apps, single-customer integrations

The Private cap counts unique agencies, not sub-accounts. Once you reach 6 agencies, new installs are blocked until you publish the app or get Security Review approval.

Sell on Marketplace — Auto-Created Developer Accounts

For agency admins who haven’t already signed up at the developer portal: clicking Sell on Marketplace triggers an auto-create flow.

1. HighLevel creates a developer profile in the background using existing agency account details.
2. The admin is redirected to sign in.
3. They’re prompted to: enter a password, accept the developer terms and conditions, and verify a one-time password sent by email.
4. Once verified, they’re signed into the new developer account and continue the Marketplace listing flow.

No separate developer signup form is needed — the agency admin’s existing identity is reused.

Developer User Roles (RBAC)

A developer account can have multiple users, managed under Account → User Management. Three roles:

Permission	Owner	Admin	User
View apps	Yes	Yes	Yes
Create and manage apps	Yes	Yes	Yes
Delete apps	Yes	Yes	No
Submit for review	Yes	Yes	Yes
View app earnings	Yes	Yes	No
Create & manage users	Yes	Yes	No
View app dashboard	Yes	Yes	Yes

• Owner: the original signup. Only one per account. Full access. Ownership cannot be transferred.
• Admin: same access as Owner except cannot modify Owner details.
• User: limited to viewing/creating/managing/submitting apps. Cannot delete apps, see earnings, or manage other users.

To add a user: navigate to Account → User Management → Add User, enter their email, assign Admin or User, toggle individual permission overrides, click Submit. The user receives an activation email; they set a password and the account becomes active.

To remove a user: navigate to their profile in the Users section, click Remove User. Only Owners and Admins can delete users.

Enhanced Account Security

Default for all accounts since June 17, 2024. When enabled, it changes API behavior in three ways:

1. Auto-generation of location API keys is disabled. When you create a new sub-account location (via UI or API), no API key is auto-generated. You must generate one manually through the UI.
2. Location CRUD APIs no longer return API keys. Previously these endpoints exposed the location API key in the response. Now you must log in to the UI to retrieve it.
3. Legacy v1 user APIs are disabled. The user create/update/delete endpoints on API v1 are turned off — these were the easiest path for an attacker holding a stolen API key to escalate access.

The setting also does not restore key generation for locations where the key was previously revoked — only locations with active keys benefit from the new defaults.

You can opt out under agency Settings, but the recommendation is to leave it on. See API Security for the broader API v1 deprecation context.

Distribution Type Quick Reference

When you create an app you also pick a Distribution Type — see Marketplace App Listing for full configuration options. Two legacy buckets:

• Agency: app accessible to all agency-level admins; a single agency-wide install
• Sub-Account: app installs against individual locations; bulk-install support is recommended for newer apps

The newer model uses three orthogonal fields (target user, who can install, bulk-install support) and replaces the older two-option choice — older apps are auto-mapped for backward compatibility.

Try It

• Sign up for a developer account at https://marketplace.gohighlevel.com (or click Sell on Marketplace from an agency admin account to trigger the auto-create flow).
• Create your first app: click Create App, fill in profile, pick App Type (Public/Private) and Distribution Type, save.
• Add scopes from marketplace.gohighlevel.com/docs/Authorization/Scopes matching what your app needs to do.
• Generate Client ID and Client Secret in the app settings — store them securely; the secret is shown once.
• Set the OAuthToken Redirect URL to the GET endpoint in your app that handles the OAuth callback.
• Add team members under Account → User Management with Admin or User roles depending on what they need to do.
• Verify Enhanced Account Security is on under agency Settings; if you disabled it, re-enable.
• Join the Developer Council Slack at https://www.gohighlevel.com/dev-slack for real-time help.

Related

• OAuth 2.0
• Marketplace App Listing
• API Security
• API Rate Limits
• Webhooks
• Testing Draft Marketplace Apps
• API Endpoints Overview

Open Questions

• The Security Review process for Private apps that want to stay Private past the 5-agency cap — the source mentions it as a path to lift the cap but doesn’t document the review criteria or SLA.
• Ownership transfer — sources say it cannot be transferred; whether HighLevel support can intervene for ownership-change cases is unstated.