Authentication and authorization overview
This guide introduces the different methods of authenticating and authorizing apps with Shopify’s platform. Make sure that you understand the differences between the types of authentication and authorization schemes before you begin your development process.
Authentication vs authorizationAnchor link to section titled "Authentication vs authorization"
Authentication is the process of verifying the identity of the user or the app. To keep transactions on Shopify’s platform safe and secure, all apps connecting with Shopify APIs must authenticate when making API requests.
Authorization is the process of giving permissions to apps. Merchants can authorize Shopify apps to access data in a store. For example, an app might be authorized to access orders and product data in a store.
Types of authentication and authorization methodsAnchor link to section titled "Types of authentication and authorization methods"
The authentication or authorization methods that you app needs to use depends on the tool that you used to create your app, and the components that your app uses.
- All apps that are created using Shopify CLI or through the Partner Dashboard use OAuth.
- If the app is embedded in the Shopify admin using App Bridge, then your app also uses session tokens.
- Apps that are created in the Shopify admin use access tokens that are generated in the Shopify admin.
- Authorize your app that was created in the Partner Dashboard or Shopify CLI using OAuth.
- Authenticate your admin-created custom app with access tokens.
- Authenticate your embedded app using session tokens.