Review Process
Every extension version must pass an admin review before it can be published in the Lumio Extension Store. The review process ensures extensions are safe, functional, and appropriate for the platform.
Version lifecycle
lumio deploy → draft → pending_review → in_review → testing → pending_publish → published
↓
rejected
| Status | Description |
|---|---|
draft | Uploaded but not submitted. Visible only to you. |
pending_review | Submitted via the submission wizard. Waiting for a reviewer. |
in_review | An admin reviewer is actively checking the extension. |
testing | Approved for the testing phase. Invited testers can install it. |
pending_publish | Testing complete and approved. Waiting for final publish. |
published | Live in the extension store. All users can find and install it. |
rejected | Review failed. See the rejection reason in the dashboard. |
What reviewers check
Source code
- Extension source is readable and free of obfuscation
- No dynamic code execution via script injection or string-based runtime code generation with untrusted input
- No exfiltration of user data (secrets, account IDs, auth tokens) to external servers
- Server function code matches declared
egress.allowHosts— no requests to undeclared hosts - No infinite loops or resource exhaustion in server functions
Permissions and egress
- Declared permissions (
"permissions") match what the code actually uses - Egress allowlist hosts are appropriate for the extension's stated purpose
- No overly broad wildcards without strong justification
Database schema
- Table names and field names are appropriate and not offensive
- No attempt to escape the extension's isolated database schema
Extension metadata
- Name, description, icon, and screenshots are accurate and not misleading
- Category is appropriate for the extension's function
- No impersonation of other extensions or brands
Functionality
- The extension works as described
Lumio.render()is called within the 10-second timeout on all surfaces- No visual errors or crashes on first load
Review timeline
| Phase | Typical duration |
|---|---|
pending_review → in_review | 1–3 business days |
in_review → testing or rejected | 1–2 business days |
testing | 3–14 days (you control when to request publish) |
pending_publish → published | Within 24 hours |
First-time submissions may take longer as reviewers familiarize themselves with your extension.
Common rejection reasons
| Reason | How to fix |
|---|---|
| Undeclared egress hosts used in code | Add missing hosts to egress.allowHosts |
| Unused permissions declared | Remove permissions not used in useLumioAction() |
| Obfuscated JavaScript | Provide readable source code |
| Exfiltration of auth tokens | Never send user credentials to external servers |
Missing or broken Lumio.render() | Ensure all entry files call Lumio.render() |
| Icon/screenshots do not match extension | Update store listing assets |
| Description is misleading | Update description to accurately reflect functionality |
Appeal process
If your extension is rejected, you will receive the rejection reason in the dashboard and via email. You can:
- Fix the reported issues
- Deploy a new version with
lumio deploy - Submit the new version for review
There is no separate appeal form — fix the issue and resubmit. If you believe the rejection was made in error, contact support via the dashboard with your reasoning.
Re-review for updates
When you deploy a new version and submit it for review, only changes from the previous approved version are reviewed. This typically results in faster review times for minor updates.