Session tokens overview

Embedded apps in the Shopify admin authenticate using OAuth and session tokens. This guide is for developing embedded apps. It covers why Shopify is migrating from cookies to session tokens and the migration timeline.

Why Shopify is migrating to session tokens

Shopify is migrating to session tokens for embedded apps because cookies won't work with browsers that restrict cross-domain data access.

Browsers that restrict cross-domain data access to protect privacy will prevent data transfer between an embedded app and Shopify. This is because the embedded app is hosted in an iframe on a different domain than the Shopify admin.

For more information about the measures taken to remove third-party cookie support by browsers, refer to the following articles:

Timeline for migrating to session tokens

As of April 2021, new submissions for embedded apps are required to use session tokens.

All embedded apps that use cookies, new and existing, must migrate to use session tokens prior to Jan 1, 2022.

If your app’s use of cookies poses a risk to merchants, then the app audit team might contact you and request that you migrate your app to use session tokens before this deadline. These requests require immediate action.

Looking forward, browsers will continue to implement restrictions on cookies, which will break embedded apps still relying on cookies.

Next steps