OAuth
Public apps and custom apps must authenticate using the OAuth 2.0 specification to use Shopify’s API resources. This guide shows you how to authenticate a public or custom app using OAuth.
Requirements
- You've created a partner account and a development store.
- You understand how apps fit into Shopify and the different types of apps you can build.
- You're familiar with the different methods of authenticating apps and services with Shopify’s platform.
The OAuth flow
Shopify uses OAuth 2.0’s authorization code grant flow to issue access tokens on behalf of users. The following diagram illustrates the OAuth flow based on the actions of the merchant, your app, and Shopify.
- The merchant makes a request to install the app.
- The app redirects to Shopify to load the OAuth grant screen and requests the required scopes.
- Shopify displays a prompt to the merchant to give authorization to the app, and prompts the merchant to log in if required.
- The merchant consents to the scopes and is redirected to the
redirect_uri. - The app makes an access token request to Shopify including the
client_id,client_secret, andcode. - Shopify returns the access token and requested scopes.
- The app uses the access token to make requests to the Shopify API.
- Shopify returns the requested data.
Session tokens for embedded apps
If you're using Shopify App Bridge to embed your app in the Shopify admin, then Shopify doesn't recommend using session cookies to authenticate the merchant to your app's server. Instead, use session token authentication to obtain a JWT (JSON web token) from Shopify App Bridge.
After you obtain the JWT, you can use it to look up session data. Using this approach, your app needs to perform an OAuth redirect only for the initial installation, and doesn't need to store the merchant information in a cookie.
1. Generate API credentials
The first step is to retrieve an API key and API secret key. These API credentials identify your app during the authorization process.
- Log in to your Partner Dashboard.
- Click Apps.
- Choose the type of app that you want to create.
- Click Create app.
- Enter the app name, app URL, and allowed redirection URLs for your app.
- Click Create App.
- Scroll to API Keys to view your API key and API secret key.
2. Generate an installation link
If you're authenticating a public app, then skip this step and proceed to step 3.
If you're authenticating a custom app, then you need to generate an installation link. A custom app can interact with the Shopify API on behalf of a single store. The merchant uses the link to go through the OAuth process and install the app on their store.
- From the app's page in your Partner Dashboard, click Generate link.
- Enter the merchant's myshopify.com domain name. For example,
mygreatstore.myshopify.com. - Click Generate link, and then click Generate link to confirm.
- Copy the installation link from the Merchant install link section and proceed to step 3.
Install a custom app on multiple stores
Usually, a custom app can be installed only on one store. However, Shopify Plus service partners can install a custom app on multiple Shopify Plus stores owned by a single Shopify Plus merchant.
- From the app's page in your Partner Dashboard, click App setup.
In the Shopify Plus section, click Request access.
After the next step, your app will be restricted to Shopify Plus stores, and can be installed only on the stores of a single Shopify Plus merchant.
Click Request access again to confirm.
Copy the installation link from the Plus merchant install link section and proceed to step 3.
3. Ask for permission
Before an app can access any store data, a merchant must grant permission to the app. Granting permission happens when a merchant clicks the link to install your app.
How the installation flow works
After a merchant clicks the link to install your app, your app receives a GET request on the app URL path that you specified in the Partner Dashboard. Requests to this URL path from a merchant who is logged into the Shopify App Store include the shop, timestamp, and hmac query parameters.
If your install link doesn’t originate from the Shopify App Store, then you need to provide the shop parameter yourself or use another method to get the merchant's shop.
You need to verify the authenticity of these requests using the provided HMAC. For more information, refer to Verification.
Installation permissions prompt
Shopify shows the following prompt to receive authorization from the merchant.
Show the installation permissions prompt
To show the prompt, redirect the merchant to the following URL with the query parameters defined below:
| Query parameter | Description |
|---|---|
{shop} |
The name of the merchant’s shop. |
{api_key} |
The API key for the app. |
{scopes} |
A comma-separated list of scopes. For example, to write orders and read customers, use scope=write_orders,read_customers. Any permission to write a resource includes the permission to read it. |
{redirect_uri} |
The URL to which a merchant is redirected after authorizing the app. The complete URL specified here must be added to your app as an allowed redirection URL, as defined in the Partner Dashboard. |
{nonce} |
A randomly selected value provided by your app that is unique for each authorization request. During the OAuth callback, your app must check that this value matches the one you provided during authorization. This mechanism is important for the security of your app. |
{access_mode} |
Sets the access mode. For online access mode, set to per-user. For offline access mode, set to value. If no access mode is defined, then it defaults to offline access mode. |
Orders permissions
By default, you have access to the last 60 days' worth of orders for a store. To access all the orders, you need to request access to the read_all_orders scope from the merchant:
- From the app's page in your Partner Dashboard, click App setup.
- In the Orders section, click Request access to all orders.
- Provide a description about why you are applying for access.
Click Request access.
If the merchant approves your request, then you can add the
read_all_ordersscope to your app along withread_ordersorwrite_orders.
Subscription APIs permissions
Subscription apps let merchants sell subscription products that generate multiple orders on a specific billing frequency.
With subscription products, the merchant isn't required to get customer approval for each subsequent order after the initial subscription purchase. As a result, your app needs to request the required protected access scopes to use Subscription APIs from the merchant:
- From the app's page in your Partner Dashboard, click App setup.
- In the Subscriptions section, click Request access to Subscription APIs.
- Provide a description about why you are applying for access.
- Click Request access.
If the merchant approves your request, then you can add the read_customer_payment_methods and write_own_subscription_contracts scopes to your app.
4. Confirm installation
When the merchant clicks the install button in the prompt, they’re redirected to your app's server. The authorization_code is passed in the confirmation redirect:
Security checks
Before you continue, make sure that your app performs the following security checks. If any of the checks fail, then your app must reject the request with an error, and must not continue.
- The
nonceis the same one that your app provided to Shopify during step three. - The
hmacis valid and signed by Shopify. The
shopparameter is a valid shop hostname, ends withmyshopify.com, and doesn't contain characters other than letters (a-z), numbers (0-9), periods, and hyphens.You can use a regular expression to confirm that the hostname is valid. In the following example, the regular expression matches the hostname form of
https://exampleshop.myshopify.com/:To match for the hostname form
exampleshop.myshopify.com, you can use the following regular expression:
Get a permanent access token
If all security checks pass, then you can exchange the access code for a permanent access token by sending a request to the shop’s access_token endpoint:
In your request, {shop} is the name of the merchant's shop and the following parameters must be provided in the request body:
| Parameter | Description |
|---|---|
client_id |
The API key for the app, as defined in the Partner Dashboard. |
client_secret |
The API secret key for the app, as defined in the Partner Dashboard. |
code |
The authorization code provided in the redirect. |
The server responds with an access token:
The following values are returned:
| Value | Description |
|---|---|
access_token |
An API access token that can be used to access the shop’s data as long as your app is installed. Your app should store the token somewhere to make authenticated requests for a shop’s data. |
scope |
The list of access scopes that were granted to your app and are associated with the access token. |
Changing requested scopes
Due to the nature of OAuth, it’s possible for a merchant to change the requested scope in the URL during the authorize phase, so the app should ensure that all required scopes are granted before using the access token.
If you requested both the read and write access scopes for a resource, then check only for the write access scope. The read access scope is omitted because it’s implied by the write access scope. For example, if your request included scope=read_orders,write_orders, then check only for the write_orders scope.
Online access mode
If online access mode is requested, then the server responds with an access token and additional data:
The following values are returned:
| Query parameter | Description |
|---|---|
access_token |
An API access token that can be used to access the shop’s data as long as your app is installed. Your app should store the token somewhere to make authenticated requests for a shop’s data. |
scope |
The list of access scopes that were granted to your app and are associated with the access token. |
expires_in |
The number of seconds until the access token expires. |
associated_user_scope |
The list of access scopes that were granted to the app and are available for this access token, given the user’s permissions. |
associated_user |
Information about the merchant who completed the OAuth authorization flow. The email field in this response appears regardless of the email verification status. If you’re using emails as an identification source, then make sure that the email_verified field is also true. You can use the id field to uniquely identify a single merchant. |
5. Make authenticated requests
After your app has obtained an API access token, it can make authenticated requests to the Admin API. These requests are accompanied with a header X-Shopify-Access-Token: {access_token} where {access_token} is replaced with the permanent token.
The following examples show how to retrieve a list of products using the GraphQL Admin API and the REST Admin API.
Changes to granted scopes
After the merchant has agreed to install your app, you might want to change the granted scopes. For example, you might want to request additional scopes if your integration requires access to other API endpoints.
To change scopes, redirect the merchant to the app authorization link and request authorization of new permissions:
In the URL, {shop} is the name of the merchant's shop and the oauth/authorize link includes the required parameters.
Verification
Every request or redirect from Shopify to your app's server includes an hmac parameter that can be used to verify the authenticity of the request from Shopify. For each request, you must remove the hmac entry from the query string and process it through an HMAC-SHA256 hash function.
The following is an example of a query string. However, request parameters provided by Shopify are subject to change. Your verification strategy shouldn't depend on the parameters in the following example:
IDs array parameter
If your query string includes an ids array parameter, then the query string is parsed so that ids[]=1&ids[]=2 gets converted to ids=["1", "2"] before the signature is generated.
Remove the HMAC
To remove the hmac, you can transform the query string to a map, remove the hmac key-value pair, and then lexicographically concatenate your map back to a query string. This leaves the remaining parameters from the example query string:
Process through the hash function
You can process the string through an HMAC-SHA256 hash function using the secret key. The message is authentic if the generated hexdigest is equal to the value of the hmac parameter.
The following Ruby example shows how to process the string through a hash function:
Next steps
- Authenticate your embedded app using session tokens.
- Learn how to configure a webhook for your app and manage webhooks for different API versions.
- Explore the GraphQL Admin API and REST Admin API references.