Hi guys, I base on this project to mount my react app directly inside of the VF page. But the problem is that I need to add the

    <script type="text/javascript">
            const __ACCESSTOKEN__ = '{!$Api.Session_ID}';
     </script>

If I put the __ACCESSTOKEN here, my app will not pass the security check to public my package to AppExchange. Do you have any solutions for it? Thanks for your help.

The access token is required to call the REST API from the client-side.

You could possibly wrap this in an Apex Controller method, but that would only maybe serve to "hide" the underlying implementation from the security review. At the end of the day, if Salesforce says you're not allowed to use client side API access in AppExchange packages, then you need to come up with some other way to communicate with Salesforce.

In that case your option are:

• Embed JSON data into the window scope using the Apex Controller method
• Use the AJAX Remote Callout instead of the rest API. How to make these calls with ts-force.

Also... I'm by no means an expert in AppExchange package development, but my understanding was that Salesforce wouldn't pass anything other than their "officially supported" framework (LWC)