Using OAuth to retrieve the host

To keep your embedded apps secure, you're required to lock all communication to the host. The host is provided as a URL query parameter appended to your application URL when your app is loaded inside the Shopify admin. The host parameter is an encoded version of the shop origin that is required since App Bridge version 2.0.

After you’ve got the host parameter, you can use it to initiate App Bridge and then store the App Bridge instance for the duration of the session. It is a good idea to re-use the same App Bridge instance because the host parameter is only guaranteed on initial load of your app.

Verification

Each embedded application URL includes an hmac query parameter that can be used to authenticate the request from Shopify.

To learn more about this process, review verifying requests from Shopify.

Actions

Menu

Navigation

React components

UX guidelines

Reference

Complete a checkout

Marketing activities

Reference

Session tokens

Marketing externally

Marketing internally

Shopify CLI

App Bridge

Actions

Menu

Navigation

React components

Post-purchase

UX guidelines

Payment methods

Shipping methods

Theme app extensions

Other integration methods

App extensions

Fulfillments

Migrate to the Subscriptions API

Getting started

Payments examples

Hosted Payment SDK

Reference

Getting started

Checkout API

Complete a checkout

Cart permalinks

Shopify admin extensions

Marketing activities

Reference

OAuth

Session tokens

Configuration

Definitions

Subscriptions

App review process

Supporting your app

Data and user privacy

App success

Marketing externally

Marketing internally

Shopify App Store ads

Security

Using OAuth to retrieve the host

Verification