Network requests

Shop Minis can only make network requests to approved domains. This page describes how to add trusted domains and how to perform fetch requests inside your Mini.

Anchor to trusted-domainsTrusted domains

To allow your Mini to make network requests to external domains, you need to add them to the trusted_domains array in your manifest.json file. This will be reviewed when your Mini is submitted.

Adding trusted domains to manifest.json

{

"name": "My Mini",

"trusted_domains": ["example.com", "api.example.com"]

}

Anchor to making-requestsMaking requests

Once you have added trusted domains to your manifest, you can use standard fetch requests in your Mini to communicate with your backend services.

Make sure to handle errors appropriately and provide feedback to users when requests fail.

Anchor to verifying-requestsVerifying requests

You can verify a request originates from a user in the Shop app by attaching a temporary token to the request inside the Mini and exchanging it for a user identifier on your backend.

Generate a temporary token using the useGenerateUserToken hook.
Attach the token in the headers of your network request.
Verify the token using the userTokenVerify mutation in the Shop Minis Admin API.

This is useful for identifying the user making the request and for rate limiting requests to your backend.

Caching lookups

Ensure you cache the token exchange lookup to avoid unnecessary requests to the Shop Minis Admin API. You can use the tokenExpiresAt field in the response to invalidate the cache when the token expires.

Authenticating requests

Do not include secret tokens or API keys in your Mini code. If you need to make authenticated API requests, you should wrap or proxy the request on your own backend using the verification process for rate limiting.

Anchor to cors-securityHandling CORS

Any backend services that your Shop Mini communicates with must be configured to allow CORS requests from localhost:* (all localhost ports).