OAuth overview

OAuth 2.0 is the industry-standard protocol for authorizing or giving permissions to apps. This differs from authentication, which is the process of verifying the identity of the user or the app. The following video illustrates how OAuth works in Shopify:

Shopify uses OAuth 2.0’s authorization code grant flow to issue access tokens on behalf of users. The OAuth flow is used so that merchants can authorize Shopify apps to access data in a store. For example, an app might be authorized to access orders and product data in a store.

The following diagram illustrates the OAuth flow based on the actions of the merchant, your app, and Shopify:

1. The merchant makes a request to install the app.

2. The app redirects to Shopify to load the OAuth grant screen and requests the merchant to authorize the required scopes.

3. The merchant authorizes the app by consenting to the requested scopes.

4. The app receives an authorization grant. This is a temporary credential representing the authorization.

5. The app requests an access token by authenticating with Shopify and presenting the authorization grant.

6. Shopify authenticates the app, validates the authorization grant, and then issues and returns an access token. The app can now request data from Shopify.

7. The app uses the access token to make requests to the Shopify API.

8. Shopify validates the access token and returns the requested data.

Shopify provides multiple resources to help you to authorize your app with OAuth. The resource you use depends on whether you're creating a new app, and the language and structure of your app.

• If you're creating a new app, then Shopify recommends using Shopify CLI to create your app using an app template. Each app template includes code for an embedded app that uses OAuth and session tokens.

• If you're implementing OAuth for an existing app, or don't want to use an app template, then consider using a Shopify Admin API library. These libraries provide methods for authenticating with OAuth, and are used by Shopify app templates.

  You can also implement OAuth without a library. However, using a library makes your implementation faster and your app more secure.

If you're creating a new app, then you don't need to do anything else to get started with OAuth.

If you're using a library or implementing OAuth yourself, then refer to Getting started with OAuth for more information.

Because OAuth is the first interaction that merchants have with your app UI, you should make sure that it's a positive experience. Refer to our OAuth performance best practices to learn how to make your app authorization process smoother, faster, and more polished.

If you already implemented OAuth in your app, then consider updating your implementation to follow these best practices. For more information, refer to Update your embedded app OAuth flow.