# Track 2 — build a native integration surface

To become a first-class AO catalog integration (your tile, your OAuth
consent, automatic setup), build toward this checklist:

1. **Webhooks**: HMAC-SHA256 signature over the raw body in a header;
   a per-delivery UUID header; an event-type header; per-event stable
   ids; documented retry/backoff. (Full details: webhook contract
   topic.)
2. **Authorization**: an OAuth 2.0 Authorization Code flow (or
   marketplace-app install) so customers connect without pasting
   secrets. Scope read access narrowly; support token refresh.
3. **Inventory APIs**: paginated list endpoints with stable ids for
   the resources customers care about. (Full details: sync topic.)
4. **Sandbox**: a test org/account AO can use to verify the
   integration continuously.

Design to this list and the AO integration is nearly mechanical on our
side — submit a manifest as soon as the surface is stable, even
pre-GA.