FAQ-000085 - API-Only Application Security Review / Application Classification

To determine if your solution qualifies as an API-only app for security review submission, it must operate exclusively through APIs without including user interface components like Lightning components, Visualforce pages, or custom objects with page layouts. The solution should be registered in the AppExchange Partner Console as an API solution type. You'll need to provide the required documentation and security scan reports for API-only solutions, ensuring it meets all security review requirements for this application type.

The original answer was generally accurate but contained some unclear terminology that could confuse developers. The phrase 'managed packages' was imprecise since API-only apps can still be distributed as managed packages - the key distinction is the absence of UI components, not packaging type. I clarified this by specifically mentioning 'Lightning components, Visualforce pages, or custom objects with page layouts' as examples of UI components that would disqualify a solution from API-only classification. I also refined 'adheres to the security review requirements' to 'meets all security review requirements' for clearer language. No security rules were selected because this FAQ is purely about application classification criteria for security review submission, not about specific security vulnerabilities or coding practices that the available security scanner rules detect.