Authentication and authorization

To keep transactions on Shopify’s platform safe and secure, all apps connecting with Shopify APIs must authenticate when making API requests.

This guide introduces the different methods of authenticating and authorizing apps and services with Shopify’s platform. Make sure that you understand the differences between the types of authentication and authorization schemes before you begin your development process.

Types of authentication

Different types of apps use different authentication or authorization methods:

A decision tree diagram showing the different authentication methods associated with each type of app

App extensions

Any web application or service that connects with Shopify’s platform is referred to as an app, regardless of how it’s exposed to end users.

An app extension isn’t an app. It's a mechanism that lets an app add features to certain defined parts of several Shopify user interfaces. Apps that use extensions must adhere to the same authentication and authorization requirements as apps that don’t use extensions.

Refer to the list of available extensions to learn more about app extension requirements.

How your app accesses Shopify

Shopify has many APIs that let developers extend the platform’s built-in features. These APIs let you read and write merchant data, work with other systems and platforms, and add new functionality to Shopify.

API name Description Authenticated? API format
Admin API The primary way that apps and services interact with Shopify. It provides extensive access to data about individual Shopify stores, and lets you add your own features to the Shopify user experience. Yes GraphQL or REST
Storefront API Lets you add Shopify buying experiences anywhere your customers are, including websites, mobile apps, and video games. Data access is controlled by the permissions that you choose when you create a storefront access token. No GraphQL
Partner API Lets you access the data found in the Partner Dashboard, including transactions that impact your earnings, app events, and Experts Marketplace jobs. Yes GraphQL
Payments Apps API Lets you programmatically access data related to a payments app configuration. Yes GraphQL
Messaging API Lets your app send messages to the Shopify Inbox app. Yes REST
Ajax API Provides lightweight endpoints for development of Shopify themes. No REST
Section Rendering API Lets you request the HTML markup of a single theme section through an AJAX request. No Ajax
Customer Privacy API Allows you to read and write cookies related to a customer's consent to be tracked. No JavaScript

OAuth authorization

To use Shopify’s APIs, public apps and custom apps must get authorization using OAuth. Apps then use the access token they receive through OAuth to authenticate their requests.

To authorize a public or custom app, you need to generate credentials from your Partner Dashboard, and then use those credentials to implement OAuth.

If you’re authorizing a custom app, then you need to also generate an installation link from your Partner Dashboard. The merchant uses the link to go through the OAuth flow and add the app on their store.

As part of the OAuth flow, you can specify whether you want your app to use an online or offline access token for the Admin API.

Basic HTTP authentication

Private apps can authenticate through basic HTTP authentication by using their Admin API key and password as a username and password. You can generate these credentials from the Shopify admin of the store that you want to connect with your app.

Public and custom apps can authenticate using a custom HTTP request header, which is used for informational or troubleshooting purposes. You must include the request header X-Shopify-Access-Token: {access_token}, where {access_token} is replaced by your private app’s password. Shopify provides several API libraries that can help you implement this specification.

How merchants access your app

Embedded apps use session tokens to authenticate the requests that it makes between the client side and your app's backend. Session cookies used to fill this role, but have become unreliable due to browser policy changes, and so session tokens are used instead.

To operate as an embedded app, the frontend of your app requests a session token from Shopify using Shopify App Bridge, and then includes it in each request that it makes to the backend of the app. The backend then uses the session token to determine the user's identity.

The following diagram shows the authentication process using session tokens and API access tokens:

Diagram showing authentication process using sessions tokens and API access tokens

Next steps