See the first requirement below. What event filters do you subscribe for? If your app does not need to call any API except creating a subscription and listening for events. Create and read or renew or delete the subscription at least 5 times. Then for meeting the minimum 20 non-authentication related API calls requirement. Check the required app permission for an event and call a related API that requires that permission several times to generate enough API calls. E.g. if you subscribed for the message store (/restapi/v1.0/account/{accountId}/extension/{extensionId}/message-store), write a test function to call the Get Message List several times. This is pretty much the current tricks to overcome the graduation process for such an app. Meanwhile, we are working on improving the graduation process.

You can also post your app client id here so I can help checking it.

Graduation requirements

All apps must meet the following graduation criteria prior to obtaining production credentials.

1. All apps must successfully make more than 20 non-authentication related API calls in the last 48 hours.
2. All apps must successfully call each API endpoint used by their application at last 5 times in the last 48 hours.
3. All apps must utilize every app scope declared by their application in the last 48 hours.
4. Authentication errors must account for less than 5% of overall API traffic.

I only have issue with the webhook side which I dont understand why.