Authentication and authorization
To keep transactions on Shopify’s platform safe and secure, all apps connecting with Shopify APIs must authenticate when making API requests.
This guide introduces the different methods of authenticating and authorizing apps and services with Shopify’s platform. Make sure that you understand the differences between the types of authentication and authorization schemes before you begin your development process.
Types of authentication
Different types of apps use different authentication or authorization methods:
- Public apps and custom apps use OAuth.
- Public apps and custom apps that are embedded in the Shopify admin use OAuth and session tokens.
- Private apps use basic HTTP authentication.
App extensions
Any web application or service that connects with Shopify’s platform is referred to as an app, regardless of how it’s exposed to end users.
An app extension isn’t an app. It's a mechanism that lets an app add features to certain defined parts of several Shopify user interfaces. The areas available to app extensions are defined by extension points.
Apps that use extensions must adhere to the same authentication and authorization requirements as apps that don’t use extensions.
How your app accesses Shopify
Shopify has many APIs that let developers extend the platform’s built-in features. These APIs let you read and write merchant data, work with other systems and platforms, and add new functionality to Shopify.
| API name | Description | Authenticated? | API format |
|---|---|---|---|
| Admin API | The primary way that apps and services interact with Shopify. It provides extensive access to data about individual Shopify stores, and lets you add your own features to the Shopify user experience. | Yes | GraphQL or REST |
| Storefront API | Lets you add Shopify buying experiences anywhere your customers are, including websites, mobile apps, and video games. Data access is controlled by the permissions that you choose when you create a storefront access token. | No | GraphQL |
| Partner API | Lets you access the data found in the Partner Dashboard, including transactions that impact your earnings, app events, and Experts Marketplace jobs. | Yes | GraphQL |
| Payments Apps API | Lets you programmatically access data related to a payments app configuration. | Yes | GraphQL |
| Ping API | Lets your app send messages to the Shopify Ping app. | Yes | REST |
| Ajax API | Provides lightweight endpoints for development of Shopify themes. | No | REST |
| Section Rendering API | Lets you request the HTML markup of a single theme section through an AJAX request. | No | Ajax |
| Customer Privacy API | Allows you to read and write cookies related to a customer's consent to be tracked. | No | JavaScript |
OAuth authorization
To use Shopify’s APIs, public apps and custom apps must get authorization using OAuth. Apps then use the access token they receive through OAuth to authenticate their requests.
To authorize a public or custom app, you need to generate credentials from your Partner Dashboard, and then use those credentials to implement OAuth.
If you’re authorizing a custom app, then you need to also generate an installation link from your Partner Dashboard. The merchant uses the link to go through the OAuth flow and add the app on their store.
As part of the OAuth flow, you can specify whether you want your app to use an online or offline access token for the Admin API.
Basic HTTP authentication
Private apps can authenticate through basic HTTP authentication by using their Admin API key and password as a username and password. You can generate these credentials from the Shopify admin of the store that you want to connect with your app.
Public and custom apps can authenticate using a custom HTTP request header, which is used for informational or troubleshooting purposes. You must include the request header X-Shopify-Access-Token: {access_token}, where {access_token} is replaced by your private app’s password. Shopify provides several API libraries that can help you implement this specification.
How merchants access your app
Embedded apps use session tokens to authenticate the requests that it makes between the client side and your app's backend. Session cookies used to fill this role, but have become unreliable due to browser policy changes, and so session tokens are used instead.
To operate as an embedded app, the frontend of your app requests a session token from Shopify using Shopify App Bridge, and then includes it in each request that it makes to the backend of the app. The backend then uses the session token to determine the user's identity.
The following diagram shows the authentication process using session tokens and API access tokens:
Next steps
- Authorize your public or custom app with OAuth.
- Authenticate your embedded app using session tokens.
- Authenticate your private app using basic HTTP authentication.