Choosing the right architecture and authorization

The Marketplace supports two architectural styles and authorization options for your apps: you can build client-side and full-stack apps, either with built-in authorization managed by the Marketplace SDK or your own, custom authorization.

Tip

For your first Marketplace app, we recommend that you create a client-side app with built-in authorization. This is the simplest option, ideal for getting started with the Marketplace. You can opt in to more complex options later, as your requirements change.

When choosing your app architecture and authorization, consider the following application requirements:

  • Do you want to protect your client-side or full-stack app with Sitecore authentication to prevent non-Sitecore users from accessing your app?

    • If yes, use custom authorization.

    • If no, use the built-in authorization.

  • Does your app need to make API requests to SitecoreAI APIs from the server rather than from the client?

    • If yes, create a full-stack app and use custom authorization.

    • If no, create either a client-side or a full-stack app with one of the following:

      • Built-in authorization - the app can make API requests to SitecoreAI APIs only from the client.

      • Custom authorization - the app can make API requests to SitecoreAI APIs from both the client and the server.

Examples

The following section describes examples of Marketplace apps and the architecture and authorization choices we recommend for them.

UI extension

Recommendation: client-side app with built-in authorization

Consider a color picker or icon library app that appears in a SitecoreAI Page builder custom field. The simplest architecture for such an app is a single-page application (SPA) that runs entirely in the user's web browser, with no server-side logic. To build such an app, you can create a client-side app with built-in authorization managed by the Marketplace SDK.

Server-side app with no SitecoreAI API access

Recommendation: full-stack app with built-in authorization

Consider an app that needs to run server-side logic, for example, to render server-side components or interact with an external service on the server, but does not need access to SitecoreAI APIs. In this scenario, you need a full-stack application, but you don't need to use custom authorization. The built-in authorization managed by the Marketplace SDK is ideal because it abstracts the authorization flow away from you, and it's sufficient for apps that don't need to interact with SitecoreAI APIs.

AI-powered app

Recommendation: full-stack app with custom authorization

Consider an app that uses agentic workflows or similar AI integrations that involve large language models (LLMs) or Model Context Protocol (MCP) servers. In this scenario, you probably need a full-stack application with custom authorization so your app can make API requests to SitecoreAI APIs from the server. It's best practice to use the server for AI-powered apps for security reasons and because AI tools are typically server-side.

A Marketplace application that uses a client-side architecture. Client-side apps run entirely in the user's web browser. All API requests from the app to SitecoreAI APIs run indirectly, via the web browser. Ideal for simple UI extensions and functionalities that don't require server-side processing.

A Marketplace application that uses a full-stack architecture. Full-stack apps include both client-side and server-side components. API requests from the app to SitecoreAI APIs can run directly, server to server. Ideal for AI-powered apps such as AI agents, agentic workflows, and other server-to-server API interactions.

An authorization flow for Marketplace applications that is managed entirely by the Marketplace SDK, abstracting it away from the developer.

Auth0 authorization flow for Marketplace applications that replaces the built-in authorization managed by the Marketplace SDK. Required if your app needs to make server-side API calls to SitecoreAI APIs.

Do you have some feedback for us?

If you have suggestions for improving this article,