About token acquisition
The Shopify platform provides two ways for apps to acquire an access token: token exchange and authorization code grant. Embedded apps should use token exchange, while non-embedded apps need to use authorization code grant.
Token exchange
Anchor link to section titled "Token exchange"OAuth 2.0 token exchange allows apps to exchange a session token for an access token. The session token is only available for embedded apps and can be acquired using App Bridge.
Generating a starter app handles authentication automatically. However, refer to this guide for more details or if you need to implement token exchange yourself.
Request flow using token exchange API
Anchor link to section titled "Request flow using token exchange API"The following diagram illustrates the token exchange flow from the point at which a merchant interacts with the app to the point at which the app receives an access token and can make authenticated API requests.
Authorization code grant
Anchor link to section titled "Authorization code grant"For non-embedded apps, Shopify uses OAuth 2.0’s authorization code grant flow to issue access tokens on behalf of merchants. The OAuth flow enables merchants to authorize apps to access store data. For example, a merchant might authorize an app to access order and product data.
The following diagram illustrates the authorization code grant flow based on the actions of the user, your app, and Shopify:
The user makes a request to install the app.
The app redirects to Shopify to load the grant screen and requests the user to authorize the required scopes. For apps that have requested API access scopes via
TOML
file, the grant screen might display before the app redirects to Shopify.The user authorizes the app by consenting to the requested scopes.
The app receives an authorization grant. This is a temporary credential representing the authorization.
The app requests an access token by authenticating with Shopify and presenting the authorization grant.
Shopify authenticates the app, validates the authorization grant, and then issues and returns an access token. The app can now request data from Shopify.
The app uses the access token to make requests to the Shopify API.
Shopify validates the access token and returns the requested data.
Ways to implement authorization code grant
Anchor link to section titled "Ways to implement authorization code grant"Shopify provides multiple resources to help you to authorize your app with authorization code grant. The resource you use depends on whether you're creating a new app, and the app's language and structure.
- If you're creating a new app, then Shopify recommends using Shopify CLI to create your app. This starter app uses token exchange and session tokens.
- If you're implementing authorization code grant for an existing app, an app that isn't embedded, or you don't want to use an app template, then we recommend using a Shopify Admin API library. These libraries provide methods for authenticating with authorization code grant (except Remix, which uses token exchange), and are used by Shopify app templates. Using a library makes your implementation faster and your app more secure. Refer to Implement authorization code grant manually for more information.