JWT specification

The data passed from Shopify to the extension point is signed with a shared secret (JWT). When you make a call to your backend server, you can use this secret to verify that the request came from Shopify. The following example displays how you can use a changeset token to request changes to an initial purchase:

If your app makes a return call to your extension point, then you must sign applyChangeset with the shared secret. Shopify will use the secret to verify that the request is coming from your app.

JWTs can be encoded and decoded by using the client secret of an app as the token key, and by setting the hashing algorithm to HS256.

Ruby example:

Used to make sure each token is unique, and prevent potential replay attacks.

• Shopify issued token: Not present.
• Partner issued token: Required. It is strongly recommend to use UUIDs, to ensure each token is unique.

Used to identify who issued the token.

• Shopify issued token: Always present, and statically set to "shopify".
• Partner issued token: Required. The api_key of the app issuing the token.

The reference ID of the initial purchase the token was issued for.

• Shopify issued token: Always present.
• Partner issued token: Required.

Used to identify when the token was generated.

• Shopify issued token: Always present.
• Partner issued token: Required.

Used to prevent a token from being used after a certain time.

• Shopify issued token: Not present.
• Partner issued token: Optional.

Used to prevent a token from being used before a certain time.

• Shopify issued token: Not present.
• Partner issued token: Optional.

Unused.