AppSettings

App-level configuration that applies to the entire application. It controls app metadata, publishing, authentication, email notifications, SEO, webhooks, and branding. These settings are distinct from page-level and component-level properties.

Use Cases

• Configure app metadata (name, description, slug)
• Control publishing and public access
• Set up authentication and user registration
• Configure email notifications and autoresponders
• Set up thank-you pages or redirects
• Enable duplicate submission prevention
• Configure webhooks for integrations
• Optimize SEO metadata
• Apply app-wide theme and branding

Properties

Name

Application name/title displayed in dashboards and page headers. Type: string. Tip: Use clear, descriptive names that explain the app’s purpose. Length: 2-5 words, 50 characters max. Uniqueness: Make it unique within your workspace for easy identification.

Description

Optional description of the application’s purpose and functionality. Type: string. Tip: Provide 1-2 sentences explaining what the app does and who it’s for. Include relevant keywords for search/filtering.

Slug

URL slug for the published app (e.g., ‘contact-form’ → qodiak.com/a/contact-form). Type: string. Tip: Use kebab-case: lowercase, hyphens for spaces, no special chars. Length: 2-5 words, keep URLs short. Must be unique within tenant.

PublicSlug

Globally unique slug for single-level subdomain routing (e.g., ‘my-app-abc123.qodiak.com’). NULL for unpublished apps. Type: string. Tip: Must be globally unique across ALL tenants. System typically appends random suffix for uniqueness. Users can customize this slug anytime.

IsPublished

Whether the app is publicly accessible. Unpublished apps are only accessible to the owner. Type: boolean. Default: false. Tip: Keep false during development/testing. Set to true when ready for public access.

RequiresAuthentication

Whether the app requires user authentication to access. If true, users must log in to view any pages. Type: boolean. Default: false. Tip: Enable for internal tools, customer portals, member‑only content. Keep false for public forms, landing pages, marketing sites.

AllowSelfRegistration

Whether to allow self‑registration for new app users. If false, only app owner can create accounts (invite‑only). Type: boolean. Default: true. Tip: Set to true for public apps (customer portals, community sites). Set to false for internal tools (invite‑only).

RequireEmailVerification

Whether to require email verification for self‑registered users. Only applies when AllowSelfRegistration = true. ALWAYS enable this — it prevents fake accounts and spam registrations. Type: boolean. Default: true. Tip: ALWAYS set true — email verification protects against fake accounts and abuse. Only disable for internal demo apps with no real user data.

AutoresponderEnabled

Whether to send an autoresponder email to form submitters. Type: boolean. Default: false. Tip: Enable for contact forms, registrations, support requests. Ensure AutoresponderEmailFieldName matches a form field.

AutoresponderSubject

Subject line for autoresponder email. Type: string. Tip: Use a professional, friendly, reassuring tone. Make subject clear about what happened (contact, registration, etc.).

AutoresponderBody

HTML body for autoresponder email. Supports template variables like {{formName}}, {{submitterName}}. Type: string. Tip: Set clear expectations about response time. Match your brand voice and tone. Use template variables for personalization: {{formName}}, {{submitterName}}, {{submissionDate}}.

AutoresponderEmailFieldName

Name of the form field that contains the submitter’s email address (e.g., ‘email’, ‘emailAddress’). Type: string. Tip: Must exactly match the ‘name’ attribute of an Input component with type='email'. Make the email field required to ensure autoresponder can be sent.

NotificationEmails

JSON array of email addresses to notify when form is submitted. Type: array. Tip: Notify team members about new submissions, leads, registrations. Keep list small (1‑5 recipients) to avoid spam filters.

ThankYouPageEnabled

Whether to show a thank‑you page after form submission. If false, only shows a brief success message. Type: boolean. Default: true. Tip: Enable for most forms to provide clear feedback. Only disable if using redirect or custom post‑submission logic.

ThankYouPageTitle

Title shown on the thank‑you page. Type: string. Default: “Thank You!”.

ThankYouPageMessage

Message shown on the thank‑you page. Type: string. Default: “Your submission has been received.”.

RedirectAfterSubmit

Whether to redirect to an external URL after form submission instead of showing thank‑you page. Type: boolean. Default: false.

RedirectUrl

External URL to redirect to after form submission (if RedirectAfterSubmit = true). Type: string.

PreventDuplicateSubmissions

Whether to prevent duplicate form submissions from the same user. Type: boolean. Default: false. Tip: Enable for surveys, polls, registrations, contests. Disable for contact forms where multiple submissions may be legitimate.

DuplicateDetectionMethod

How to detect duplicate submissions. Type: string. Options: Session, IP, Email, SessionAndIP. Default: Session. Tip: Session – good default, prevents accidental double‑clicks. Email – use for forms collecting email addresses (registrations, contests). IP – use with caution – can block legitimate users on shared networks. SessionAndIP – use for high‑stakes forms (contests, limited offers).

WebhookUrl

URL to send form submission data to via HTTP POST. Enables integration with Zapier, Make, n8n, and custom systems. Type: string. Tip: Use for Zapier, Make, n8n, custom integrations. Set WebhookSecret for signature verification (HMAC‑SHA256). Test with webhook.site before going live.

WebhookSecret

Secret key for webhook signature verification (HMAC‑SHA256). If set, webhook requests include X‑Qodiak‑Signature header. Type: string. Tip: Always set for production webhooks to verify authenticity. Use random string (32+ characters).

SeoTitle

SEO‑optimized title for meta tags (defaults to Name if not set). Type: string. Tip: 50‑60 characters for optimal SEO. Include target keywords naturally. Include brand name when appropriate.

SeoDescription

SEO‑optimized description for meta tags (defaults to Description if not set). Type: string. Tip: 150‑160 characters for optimal SEO. Highlight key benefits or value proposition. Include subtle CTA when appropriate.

SeoKeywords

Comma‑separated keywords for SEO meta tags. Type: string. Tip: Use keywords relevant to app content and purpose. 5‑10 keywords max. Don’t stuff keywords – use naturally.

OgImageUrl

Open Graph image URL for social media sharing (Facebook, Twitter, LinkedIn). Type: string. Tip: 1200x630px for optimal social media display. Include logo, app name, or key visual. JPG or PNG, under 1 MB.

AllowIndexing

Whether to allow search engines to index this app. If false, adds noindex meta tag. Type: boolean. Default: true. Tip: Set to true for public apps you want indexed. Set to false for internal tools, testing, private apps.

Settings

JSON settings for app‑level configuration (theme, branding, etc.). Type: object.

• theme (object): App‑wide theme settings.
  • primary – Primary brand color (hex). Type: string.
  • secondary – Secondary brand color (hex). Type: string.
  • headingFontFamily – Font family for headings. Type: string. Examples: “Poppins, sans-serif”, “Inter, sans-serif”.
  • bodyFontFamily – Font family for body text. Type: string. Examples: “Inter, sans-serif”, “Roboto, sans-serif”.

ManifestJson

App manifest for manifest‑first generation pattern. Stores complete app structure (pages, entities, lookup tables, navigation) as JSON. Used for complex apps (8+ pages) to enable batch page generation without context limits. Type: object. Tip: Automatically set when using create_app_manifest tool for complex apps. Enables batch page generation, prevents context limits, ensures consistent navigation.

Best Practices

• Set meaningful Name and Description for discoverability
• Use descriptive slugs (kebab‑case, lowercase, no special chars)
• Enable RequiresAuthentication for private/internal apps
• Configure autoresponder settings only if collecting user emails
• Set up webhooks for integration with external systems (Zapier, Make, n8n)
• Optimize SeoTitle, SeoDescription, and OgImageUrl for social sharing
• Use AllowIndexing=false for private apps or testing
• Apply consistent theme settings across all pages

Common Mistakes

Not setting AutoresponderEmailFieldName when enabling AutoresponderEnabled

Why it's a problem: Autoresponder can’t send emails without knowing which field contains user’s email

Fix: Set AutoresponderEmailFieldName to match the name of your email Input component

Using DuplicateDetectionMethod='IP' for public forms

Why it's a problem: Can block legitimate users on shared networks (offices, schools, public WiFi)

Fix: Use 'Email' or 'Session' for public forms, only use 'IP' for specific use cases

Setting WebhookUrl without WebhookSecret in production

Why it's a problem: Unsecured webhooks can be spoofed or abused by attackers

Fix: Always set WebhookSecret for production webhooks to verify authenticity

Not setting SeoTitle and SeoDescription for public apps

Why it's a problem: Poor SEO ranking, unattractive search results, low click‑through rates

Fix: Always set SeoTitle (50‑60 chars) and SeoDescription (150‑160 chars) for public apps

Enabling RequiresAuthentication without setting up AllowSelfRegistration or invitations

Why it's a problem: Users can’t access the app because they can’t create accounts

Fix: Either enable AllowSelfRegistration or use invite‑only mode with manual account creation