# Plugin SDK

> CLI, App Bridge, scopes, billing, UI components, and publishing guide

- [Distribution](/docs/plugin-sdk/distribution): Choose between private and public distribution modes. Private plugins are auto-approved. Public plugins require review and appear in the marketplace.
- [Plugin SDK](/docs/plugin-sdk): Build plugins that extend Whatalo's admin with full-page iframe applications — from analytics dashboards to custom order management tools.
- [Quick Start](/docs/plugin-sdk/quick-start): Go from zero to a running Whatalo plugin in under 15 minutes.
- [Review Process](/docs/plugin-sdk/review-process): All public plugins go through a manual review before being listed in the marketplace. Understand what reviewers check and how to prepare your submission.
- [Updates & Versioning](/docs/plugin-sdk/updates-and-versioning): How to ship updates to approved plugins. Understand pending changes, scope consent, and how to use the deploy command in CI/CD.
- [Context & Session](/docs/plugin-sdk/app-bridge/context-and-session): Read store, user, and environment data provided by the Whatalo admin through the App Bridge.
- [Navigation](/docs/plugin-sdk/app-bridge/navigation): Handle in-plugin page routing and navigate the Whatalo admin from your plugin using the App Bridge.
- [App Bridge Overview](/docs/plugin-sdk/app-bridge/overview): The communication layer between your plugin iframe and the Whatalo admin — built on postMessage with strict origin validation.
- [Theme Integration](/docs/plugin-sdk/app-bridge/theme-integration): Keep your plugin visually in sync with the Whatalo admin's light and dark mode using the App Bridge.
- [UI Actions](/docs/plugin-sdk/app-bridge/ui-actions): Show toast notifications, open modals, and resize your plugin iframe using the App Bridge.
- [Authentication](/docs/plugin-sdk/api-client/authentication): Understanding the two authentication methods in the Whatalo plugin ecosystem — API keys for server-to-server calls and session tokens for frontend-to-backend calls.
- [Customers](/docs/plugin-sdk/api-client/customers): Access merchant customer data using client.customers — list and get individual customer records.
- [Data Bridge](/docs/plugin-sdk/api-client/data-bridge): Read store data directly from your plugin frontend using useWhataloData() — no backend required.
- [Discounts](/docs/plugin-sdk/api-client/discounts): Create and manage discount codes using client.discounts — list, get, create, update, and delete discount records.
- [Errors & Rate Limits](/docs/plugin-sdk/api-client/errors-and-rate-limits): Handle API errors and rate limits using WhataloClient's typed error classes and built-in retry logic.
- [Inventory](/docs/plugin-sdk/api-client/inventory): Read and adjust product inventory levels using client.inventory — get current stock and apply quantity adjustments.
- [Orders](/docs/plugin-sdk/api-client/orders): Read order data and update order status using client.orders — list, get, updateStatus, and count.
- [API Client Overview](/docs/plugin-sdk/api-client/overview): Introduction to WhataloClient — the typed REST client for accessing store data from your plugin's server-side code.
- [Products](/docs/plugin-sdk/api-client/products): Read and manage product catalog data using client.products — list, get, create, update, delete, and count.
- [Session Tokens](/docs/plugin-sdk/api-client/session-tokens): How to use short-lived session tokens to authenticate plugin frontend requests to your backend server.
- [Store](/docs/plugin-sdk/api-client/store): Read store configuration and metadata using client.store.get — currency, timezone, domain, and more.
- [Webhooks (API Client)](/docs/plugin-sdk/api-client/webhooks-api): Manage webhook subscriptions programmatically using client.webhooks — list, create, update, and delete webhook registrations.
- [Billing SDK Reference](/docs/plugin-sdk/billing/billing-sdk-reference): Complete reference for all App Bridge billing methods. Query plans, manage subscriptions, and handle errors from inside your plugin.
- [Billing Overview](/docs/plugin-sdk/billing/overview): Monetize your plugin by creating pricing plans. Merchants subscribe to your plans, and you earn revenue minus a platform commission.
- [Plans & Pricing](/docs/plugin-sdk/billing/plans-and-pricing): Create up to 5 active pricing plans per plugin through the Developer Portal. Define pricing type, billing interval, trial period, and feature list.
- [Revenue & Payouts](/docs/plugin-sdk/billing/revenue-and-payouts): Track your plugin earnings and request payouts through the Developer Portal. Understand commission calculation and payout requirements.
- [Subscription Flow](/docs/plugin-sdk/billing/subscription-flow): How merchants subscribe to your plugin's pricing plans using the App Bridge billing API.
- [Plugin Design Guidelines](/docs/plugin-sdk/best-practices/design-guidelines): Ten guidelines for building plugins that feel native to the admin — component usage, dark mode support, loading states, empty states, and navigation patterns.
- [Error Handling](/docs/plugin-sdk/best-practices/error-handling): Patterns for handling bridge timeouts, typed API errors, user-facing error states, billing failures, and webhook processing errors.
- [Performance Best Practices](/docs/plugin-sdk/best-practices/performance): Guidelines for keeping your plugin fast — bundle size, initial load time, API usage patterns, resize rate limits, and lazy loading.
- [Security Best Practices](/docs/plugin-sdk/best-practices/security): Essential security guidelines for plugin developers — webhook verification, secret management, scope minimization, input validation, and token handling.
- [whatalo deploy](/docs/plugin-sdk/cli-reference/deploy): Build and deploy a new version of your plugin to the Whatalo marketplace.
- [whatalo dev](/docs/plugin-sdk/cli-reference/dev): Start local development with a live tunnel — your plugin appears in the Whatalo admin sidebar instantly.
- [whatalo env](/docs/plugin-sdk/cli-reference/env): Pull environment variables from the portal to your local .env file, or display them in the terminal.
- [whatalo init](/docs/plugin-sdk/cli-reference/init): Create a new plugin project interactively — scaffolds files, registers the plugin, and shows your credentials.
- [whatalo login](/docs/plugin-sdk/cli-reference/login): Authenticate the CLI with your Whatalo developer account using a browser-based Device Flow.
- [whatalo logs](/docs/plugin-sdk/cli-reference/logs): View and stream webhook delivery logs for your plugin — filter by event type, status, or store.
- [CLI Overview](/docs/plugin-sdk/cli-reference/overview): Install and authenticate the Whatalo CLI — 14 commands for the full plugin development lifecycle.
- [Utility Commands](/docs/plugin-sdk/cli-reference/utility-commands): whatalo whoami, logout, info, doctor, and upgrade — tools for managing your session and environment.
- [whatalo validate](/docs/plugin-sdk/cli-reference/validate): Validate your plugin project config, manifest, dependencies, and security — without making any API calls.
- [whatalo webhook trigger](/docs/plugin-sdk/cli-reference/webhook-trigger): Send a test webhook event to your plugin during local development — no real orders or customers required.
- [Environment Variables](/docs/plugin-sdk/configuration/environment-variables): Reference for all environment variables used during plugin development, with security guidance.
- [Plugin Manifest](/docs/plugin-sdk/configuration/plugin-manifest): Define your plugin's identity, permissions, and admin UI pages using defineApp() from @whatalo/plugin-sdk.
- [Project Configuration](/docs/plugin-sdk/configuration/project-config): Configure your local development environment and build process with whatalo.app.toml.
- [Scopes & Permissions](/docs/plugin-sdk/configuration/scopes-and-permissions): Declare the API permissions your plugin needs. Merchants grant these during installation.
- [Build Your First Plugin](/docs/plugin-sdk/getting-started/build-your-first-plugin): A complete end-to-end tutorial — from scaffolding to a running plugin with real store data in 15 minutes.
- [Platform Overview](/docs/plugin-sdk/getting-started/platform-overview): What the Whatalo Plugin Platform is, what you can build, and how distribution works.
- [Plugin Architecture](/docs/plugin-sdk/getting-started/plugin-architecture): How the iframe model, App Bridge protocol, and security sandbox work together.
- [Prerequisites](/docs/plugin-sdk/getting-started/prerequisites): What you need before building a Whatalo plugin.
- [Event Reference](/docs/plugin-sdk/webhooks/event-reference): Complete reference for all 13 Whatalo webhook events — order, product, customer, inventory, and plugin lifecycle events.
- [Handling Webhooks](/docs/plugin-sdk/webhooks/handling-webhooks): Use SDK-provided webhook handlers for Next.js, Hono, and Express to receive and process Whatalo events with built-in signature verification.
- [Webhooks Overview](/docs/plugin-sdk/webhooks/overview): Understand how Whatalo delivers real-time event notifications to your plugin and how to declare webhook subscriptions in your manifest.
- [Verification & Security](/docs/plugin-sdk/webhooks/verification): Verify Whatalo webhook signatures using HMAC-SHA256 to prevent forged requests and replay attacks.
- [Action Components](/docs/plugin-sdk/ui-components/actions): Interactive components that trigger user actions — Button, Link, and Accordion — with a full real-world example combining multiple components.
- [Content Components](/docs/plugin-sdk/ui-components/content): Display components for typography, status indicators, messages, lists, and loading states — Text, Badge, Banner, List, and Spinner.
- [Hooks](/docs/plugin-sdk/ui-components/hooks): useAutoResize and useThemeSync — the two hooks included in the WUI library that handle iframe height reporting and admin theme synchronization.
- [Layout Components](/docs/plugin-sdk/ui-components/layout): Structural components for building plugin pages — Page, PageHeader, Layout, Card, Box, BlockStack, InlineStack, and Divider.
- [UI Components Overview](/docs/plugin-sdk/ui-components/overview): Pre-built component library included with every plugin scaffolded by whatalo init, designed to match the admin look and feel with automatic dark/light theme support.

## See Also

- [Whatalo API](/docs/api/llms.txt): REST API reference, authentication, webhooks, and resource endpoints
- [Theme SDK](/docs/theme-sdk/llms.txt): Build custom themes for Whatalo storefronts
- [Third-Party Integrations](/docs/third-party/llms.txt): Integration guides for external services
- [Legal & Policies](/docs/policies/llms.txt): Terms, agreements, review guidelines, and data privacy