Shop Pay Wallet authorization
Shop Pay wallet uses an OAuth-2.0-compliant flow to authenticate and obtain authorization from the user, and an authorization code grant to obtain an
The Shop Pay Wallet API supports only confidential applications. A confidential application is usually a web server application that can hold a client secret. Credentials must be stored in a secure way without exposing them to unauthorized parties.
PKCE extensionAnchor link to section titled "PKCE extension"
OAuth 2.0 clients using the authorization code grant can use the Proof Key for Code Exchange (PKCE) extension for OAuth RFC7636 to add an additional layer of security.
The PKCE extension works as follows:
At the start of the authorization flow, the client picks a code verifier value. This can be any value.
During the authorization request, the client provides the authorization server with a code challenge derived from the code verifier. The code challenge must be SHA-256.
During the access token request, the client provides the authorization server with the code verifier.
The authorization server verifies that the code challenge matches the code verifier before issuing an access token.
Environment and variablesAnchor link to section titled "Environment and variables"
RFC 8252 section 8.12 explains the requirement for having an authentication-specific webview for OAuth inside native apps. Using this webview provides added security guarantees from the OS, and can provide a simpler login experience by reusing Shop Pay credentials obtained from the web.
We recommend that you use the AppAuth library (https://appauth.io/) hosted in the OpenID github organization. It provides audited implementations for iOS and Android. If you do not want to use this library, then you must implement authorization using the most secure frameworks available.
Android Custom Tabs is the best API provided by Android for creating authentication webviews. The header can optionally be themed, and we suggest using the Shop Pay primary color
#5a31f4 with white text.
Desktop and mobile webAnchor link to section titled "Desktop and mobile web"
For desktop or mobile web, we recommend that you use a browser pop-up to handle the authorization flow. The client can control the lifetime of the pop-up and dismiss it after it has obtained the authorization code.