Skip to main content
Application certification authorizes a specific Flows custom app version to deploy to a customer production environment. The certification confirms the app meets the same security, data, and UX standards that builders are trained against in Builder certification, and it applies to every app independently.
Application certification is required for every Flows custom app deployed to a customer production CDF project, even when built by a certified builder. Each app is certified independently, and every code change (new feature, bug fix, refactor, dependency bump) requires re-certification before redeploying to production.

When you need it

You’re deploying to …Application certification
A customer production project, first deployRequired before deploy
A customer production project, any code change (feature, bug fix, refactor, dependency bump)Required before redeploy
A customer dev or test projectNot required (signing may be waived for certified builders on request. Contact your Cognite customer representative.)
Prerequisites:
  • Active Builder certification (valid, not expired).
  • Enterprise license to Cursor, Claude Code, or another agentic coding tool (required to run the certification skills).
  • A Flows custom app created with npx @cognite/cli@latest apps create.
The flow is skill-driven. Each step is a slash command in your agentic coding tool. The skills generate artifacts in your app’s repository, and the final submit skill verifies that every prior artifact exists before packaging the build for submission.

How the certification flow works

1

Capture the App Brief

Run /flows-app-brief immediately after creating the app, before you start building.The skill acts as a certification coach: it pre-scans app.json and any spec files for context, then asks targeted questions about your user, the problem the app solves, the one-sentence value statement, and how you’ll measure success. It writes App-Brief.md at the repo root.App-Brief.md is the user-context document reviewers read first. The final submit skill blocks submission until every required field is populated.
2

Build the app

Develop your app using the latest Flows template. Follow the Get started with Flows guide for setup.Pull skills as you go (npx @cognite/cli@latest apps skills pull) so AI coding agents stay aligned with current Cognite best practices.
3

Run the code review

Run /flows-code-review to perform the technical review.The skill produces three artifacts under reviews/code-review/feedback-round-N/:
  • code-review-report.md — scored report covering correctness, SDK usage, dependencies, test coverage, dead code, patterns, Data Modeling Service (DMS) query efficiency, pagination, rate limiting, and Aura usage.
  • review-files.md — per-file inventory.
  • review-packages.md — dependency audit including npm audit results.
The report’s Summary block reports a Must Fix open: count. Re-run the skill (it creates a new feedback-round-N) until the count is 0.
4

Run the design review

Run /flows-design-review to score the app against the 10 design quality questions.The skill is semi-automated: for each question it runs concrete repo probes (grep, lint, build) and proposes a draft 1–5 score. You confirm or override each score after walking your tasks end-to-end in the running app. It writes design-review-report.md under reviews/design-review/feedback-round-N/.Target overall average: 3.8 or higher.
5

Verify and submit

Before running this skill, ensure you have run:
  • npx @cognite/cli@latest apps deploy — builds the app automatically (npm run build) and uploads it, creating the deploy bundle at .cognite-bundles/<externalId>-<versionTag>.zip
  • npx @cognite/cli@latest apps sign — signs the bundle and writes .dev.sig
Ensure your working tree is clean (git status shows nothing uncommitted) before running apps deploy. The build runs automatically and the source archive must match the deployed bundle exactly. See Deploy a Flows custom app for build options.
Run /flows-external-app-submit. The skill verifies five gates before packaging anything:
GateRequired
App-Brief.md complete (required fields: appName, customer, tier, owner, userRole, currentProblem, oneSentenceStory, successCriteria, userEvidence)Yes
Latest code-review-report.md reports Must Fix open: 0Yes
Latest design-review-report.md reports Average score: 3.8 or higherYes
No secrets in tracked files (.env*, .pem, .key, .p12, etc.)Blocked
Working tree cleanBlocked
On all-pass, the skill runs npx @cognite/cli@latest apps submit, which collects the source archive (src-<sha>.zip) and the deploy bundle into dist/certification/, then prompts you to add your screen recording to that folder before opening the pre-filled Zendesk form.
6

Submit through Cognite Zendesk

Open the Cognite Zendesk submission form. The form, subject, description, and Cognite Flows product field are pre-filled. Update the placeholders with your app’s details.Place your screen recording in dist/certification/ (the CLI prompts you to do this), then attach all files from that folder:
  • src-<sha>.zip — source archive (committed code only; design-review-report.md is included inside)
  • <externalId>-<versionTag>.zip — deploy bundle; required for signature verification
  • Screen recording of the application walking through the primary tasks (required for the design review)
Submit the ticket. Your submission is reviewed manually.
7

Respond to the review outcome

For dev / staging projects, the signing requirement may be waived by Cognite on request. Deploy your app, publish it, then activate it.For production projects, you’ll receive one of two outcomes from the Zendesk review:
  • Feedback: Address reviewer comments, re-run the relevant skills, commit the updated artifacts, and reply in the same Zendesk ticket with a fresh dist/certification/ folder (new src-<sha>.zip, deploy bundle, and updated screen recording if the UI changed).
  • Approval: Download the .cert.sig from the Yopass link in the ticket. Place it alongside your .dev.sig file, run npx @cognite/cli@latest apps publish, then npx @cognite/cli@latest apps activate.
No committed SLA at launch. Reviews are first-in, first-out as the team scales the process.

App tiers

The App Brief asks you to pick a tier so reviewers can calibrate expectations. Pick the closest match; “not sure” is fine, and the reviewer can adjust.
TierScopeExamples
Tier 1: Monitoring & reportingRead-only dashboards, asset/equipment overviews, KPI reportsAsset health dashboard, production KPI overview
Tier 2: Operational supportInteractive workflows that support an operator’s day, typically single user groupWork-order triage, data validation, shift handover
Tier 3: Business criticalMulti-step workflows, multiple roles, write-back into systems of recordApproval workflows, multi-user collaboration with state changes

Submission requirements

ItemSource
Source archive src-<sha>.zipdist/certification/ — created by npx @cognite/cli@latest apps submit
Deploy bundle <externalId>-<versionTag>.zipdist/certification/ — copied from .cognite-bundles/ by apps submit; must match the signed hash
Screen recording of the applicationdist/certification/ — placed there by the builder; should cover the primary user tasks named in App-Brief.md
App-Brief.md (inside src-<sha>.zip)Generated by /flows-app-brief
Latest code-review-report.md (inside src-<sha>.zip)Generated by /flows-code-review
Latest design-review-report.md (inside src-<sha>.zip)Generated by /flows-design-review

Self-check before submitting

Run this checklist immediately before you open the Zendesk ticket:
  • The app is targeting a customer production project (skip certification for dev or test).
  • App-Brief.md exists at the repo root and every required field is populated.
  • The latest reviews/code-review/feedback-round-N/code-review-report.md reports Must Fix open: 0.
  • The latest reviews/design-review/feedback-round-N/design-review-report.md reports Average score: of 3.8 or higher.
  • All skill-generated artifacts (App-Brief.md and the latest reviews/ reports) are committed to git (git add + git commit); the submit skill packages only committed files.
  • npx @cognite/cli@latest apps deploy has been run; deploy bundle exists at .cognite-bundles/.
  • npx @cognite/cli@latest apps sign has been run; .dev.sig exists.
  • /flows-external-app-submit ran and printed PASS for every gate.
  • Screen recording of the app’s primary tasks has been placed in dist/certification/.
  • All files in dist/certification/ (src-<sha>.zip, deploy bundle, screen recording) are ready to attach.
If every box is ticked, the submission is ready. Submit through the Cognite Zendesk submission form.

Troubleshooting common issues

Open the latest reviews/code-review/feedback-round-N/code-review-report.md and work the Must Fix section top to bottom. Re-run /flows-code-review after each batch of fixes; it creates a new feedback round so reviewers can see your progression. Submission stays blocked until the most recent round reports Must Fix open: 0.
The skill proposes scores from repo probes and your walkthrough notes; you can override any score it gets wrong. Re-run /flows-design-review in a new feedback round, override the scores you disagree with, and add an Improvement note explaining the reasoning so reviewers can follow your thinking.
Any CDF project the customer uses for production decisions, dashboards, or workflows; typically the project with production (or similar) in the name and published: true on deployments. If you’re unsure, ask the customer’s CDF administrator. When in doubt, certify.
No. The design review needs to see the app in motion across your primary user tasks. A short walkthrough (2–5 minutes) is enough; narration is optional but helpful.
Yes. Application certification is per-version and applies to every code change (new feature, bug fix, refactor, or dependency bump). Re-run the four skills against the new version and submit a fresh zip referencing the new commit hash before redeploying to the customer’s production project.
Yes. Certification is per-commit, not per-change-size. The re-run is fast when nothing meaningful has changed (the code-review and design-review skills produce reports quickly against a known-good codebase), so the friction is small. The guarantee that production only ever runs certified code is what matters.
Make the fixes, re-run /flows-code-review and /flows-design-review (each in a new feedback round), then re-run /flows-external-app-submit to produce a fresh zip. Open a new Zendesk ticket and note in the description that this is a re-certification, referencing the original ticket number.

Further reading

Last modified on May 26, 2026