Before your app can receive communication from Flow actions, you need to create one or more standardized API endpoints on your web server. Review the information for each endpoint to understand its requirements, the format of the payload, and the expected response. You'll also learn how to avoid processing duplicate requests, identify an action by its ID, and verify requests for security purposes. | Endpoint | Purpose | | --- | --- | | [Flow action execution](/docs/apps/flow/actions/endpoints#flow-action-execution) | The endpoint where the automation tool sends your action's payload. The payload contains data that you can use to execute the action in your app.| | [Custom configuration page preview](/docs/apps/flow/actions/endpoints#custom-configuration-page-preview) | An endpoint that provides data about your [custom configuration page](/docs/apps/build/flow/actions/build-config-ui) to display in the automation tool. This endpoint is required if you want to use a custom configuration page.| | [Custom validation](/docs/apps/flow/actions/endpoints#custom-validation) | An endpoint that validates the contents of merchant-configurable properties in an action payload when an action is saved. This endpoint is required if you want to use a custom configuration page.| ## General endpoint requirements The requirements for Shopify Flow action endpoints are as follows: | Rule / concern | Type / requirement | | --- | --- | | API format | REST | | Content type | JSON | | Security mechanism | [HMAC / Signed requests](#verifying-requests) | | Protocol | HTTPS (app domain requires valid SSL certificate) | ## Flow action execution When a workflow that contains your action is executed, Flow sends an HTTP request to your Flow action execution endpoint (runtime URL). The request contains a payload that matches the payload schema that you configured for your action. ### Request

The payload contains the following parameters: | Property Name | Property Usage | | ------------------- | ------------------------------------------------------------------------------------------------------ | | `shop_id` | The ID of the store. | | `shopify_domain` | The myshopify.com domain of the store. | | `action_run_id` | An ID that represents an instance of an action being run. [Learn more](#prevent-apps-from-processing-duplicate-requests). | | `handle` | The extension’s handle. We recommend using this property to identify your actions. | | `step_reference` | A unique ID for the step within a workflow. This property only appears if you’ve set a [Custom Configuration Page](/docs/apps/build/flow/actions/build-config-ui). | | `action_definition_id` | A unique ID for the action. The ID is based on the action name in the Partner Dashboard. | | | `properties` | The fields that you selected as part of the action configuration. | To learn how to configure the payload schema, refer to [Shopify Flow actions](/docs/apps/build/flow/actions). ### Expected response After the automation tool sends a POST request to your web server, it waits for a maximum of 10 seconds for an [HTTP status code](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes). If after 10 seconds the automation tool hasn't received a response from your web server, then the automation tool closes the connection to your web server and resends the request later. When the automation tool receives a response, it processes the codes as displayed in the following table:
Status codes Description
200 Success The automation tool assumes that the POST request has been processed by your web server.
202 Success The automation tool assumes that the POST request has been accepted but not processed by your web server. The automation tool will resend the POST request at increasing intervals for up to 36 hours.
4XX Client errors

If your web server sends a 429 status code without a Retry-After header, then the automation tool resends the POST request at increasing intervals for up to 36 hours.

If your web server sends a 429 status code with a Retry-After header that specifies a wait time, then the automation tool resends the POST request after the wait time (formatted in seconds) has passed.

If your web server sends any other 4XX code, then the automation tool assumes that there was a failure and it doesn't resend the POST request. Merchants see a notification in the automation tool that includes the raw contents of your web server's response.

Example: 400 Bad Request { "error1": "server unresponsive" }

You can provide a merchant-friendly description of the error by adding a key named message. For example:

Example: { "message": "Finish the onboarding on our website." }

5XX Server errors The automation tool resends the POST request at increasing intervals for up to 36 hours.
Other status code If your web server returns a code that isn't described in this table, then the automation tool assumes that there was a failure and it doesn't resend the POST request.
### Prevent apps from processing duplicate requests Each request from an automation workflow contains an `action_run_id` that's unique to the associated action run. This ID is included in the body of the request. You can use `action_run_id` as an [idempotency key](/docs/api/usage/idempotent-requests) to check if the request is unique. In some cases, your app could receive an identical request more than once. For example, the automation tool might resend a request because it didn't receive your response in time. Your app can store the idempotency key in a cache with a set expiry time to avoid reprocessing duplicate requests. ### Identify actions The `handle` property is how you identify the action for processing when your web server receives a request from Flow during workflow execution. ```json { "shop_id": 0, "shopify_domain": "{shop}.myshopify.com", "action_run_id": "xxxx-xxxx-xxxx-xxxx", "handle": "auction-bid", "action_definition_id": "Auction Bid", "properties": {} } ``` ## Custom configuration page preview An endpoint that provides data about your [custom configuration page](/docs/apps/build/flow/actions/build-config-ui) to display in the automation tool. This endpoint is required if you want to use a custom configuration page. Using the endpoint, you can dynamically set the following information: - The field’s label - A text preview - A last updated at timestamp - An image preview - The text used by the button that redirects to the custom configuration page ### Request

The payload contains the following parameters: | Parameter | Description | | ---------------------- | --- | | `shop_id` | The ID of the store. | | `shopify_domain` | The myshopify.com domain of the store. | | `handle` | The extension’s handle. We recommend using this property to identify your actions. | | `step_reference` | A unique ID for the step within a workflow. | | `locale` | The locale of the store making the request, in ISO format. | | `properties` | The fields that you selected as part of the action configuration. | ### Expected response ```json { "label_text": "Abandonment Email Template", "text_preview": "We want you back. Enjoy a 15% discount on your next purchase.", "button_text": "Edit Email", "image_preview": { "url": "http://someUrl.io/assets/preview_image.png", "alt": "Abandonment Email Template Preview Image" }, "last_updated_at": "2023-02-10T16:50:24.709Z" } ``` Other than `text_preview`, all fields are nullable.                                                                                                                                                                                                                                       
ParameterDescription
1label_textA title for the custom configuration page.

If no value is specified, then the label text defaults to Configuration Page Preview.
2text_previewA preview that indicates the resource that's tied to the step. For example, in the case of an email content editor, this might be a preview of the email text.

This field is required.
3button_textThe text for the button that the merchant clicks to access the custom configuration page.

If no value is specified, then the label text defaults to Edit.

If the value for `button_text` is longer than 23 characters, then the label is truncated to twenty characters with an ellipsis.
image_previewThe details of the image.
4image_preview.urlThe URL for a preview image of the custom configuration page. The image should be between 500px and 600px wide, and 100KB or less. There is no maximum height.
image_preview.thumbnail_urlThe URL for a thumbnail version of the preview image.

This image is not currently used in the user interface.
image_preview.altThe alt text for the preview image. This text appears if your image fails to render, and is accessible to screen readers.
5last_updated_atThe date and time that the resource was last updated, in IS0-8601 format.
A labeled custom configuration page.
## Custom validation An endpoint that validates the contents of merchant-configurable properties in an action payload when an action is saved. This endpoint is required if you want to use a custom configuration page. ### Request The request contains a payload that matches the payload schema you configured for your action.

The payload contains the following parameters:                                                                                                                                                                                                               
ParameterDescription
shop_idThe ID of the store.
shopify_domainThe myshopify.com domain of the store.
handleThe extension’s handle. We recommend using this property to identify your actions.
localeThe locale of the store, in ISO format.
stepsAn array of all of the steps to validate. Each child step object represents a separate action on the merchant’s workflow.
steps.step_referenceThe unique identifier for the step. This ID should be used when returning errors for a step.
steps.properties

An object containing the properties specified on the action.

Merchant-configurable properties: These properties are passed as strings, with the following exceptions:

  • Checkbox properties: Boolean
  • Number properties: integer

Shopify properties: The path to the value for the related commerce object in the workflow environment. For example, customer.id. If the value isn't available in the workflow environment, then an empty string is returned. The property will be populated with an actual value at runtime.

Example 1: Customer ID is available in the workflow environment

  • Validation payload value: "customer.id"
  • Runtime value: "123456"

Example 2: Customer ID isn't available in the workflow environment

  • Validation payload value: ""
  • Runtime value: null

If a property is marked as optional, then the workflow tool won't validate the presence of the commerce object, and will only rely on external validation. The path to the value for the commerce objects is still returned as a path, but Shopify can't guarantee their presence at runtime. If you need a commerce object to be present at runtime, then you should mark it as required. This allows the workflow tool to assess the presence of the commerce object and return any errors to the editor.

Example 3: Customer ID might be available in the workflow environment (for example, when using a custom trigger and an order step)

  • Validation payload value: "customer.lastOrder.id"
  • Runtime value: "123456" OR null
### Expected response Your app should return an array of the steps that you validated, which are identified by their `step_reference`. If there are any validation errors, then specify them in a `step_errors` array. The error messages that return display to the merchant in the action configuration pane in Shopify Flow. ![An image of error messages in the action configuration pane.](/assets/apps/flow/validation-error.png) ```yml [ { step_reference: '122438de2e57d8bad7e50958d2bd4999ca2c4c35ee3b5120e85e42a17fc1ce93', step_errors: [ { message: 'A step level error occurred' } ], properties_errors: [ { id: 'guest_no', message: 'Number of guests is limited to 8 when outside of North America' } ] }, { step_reference: 'ca2c4c35ee3b5120e85e42a17fc1ce93122438de2e57d8bad7e50958d2bd4999', step_errors: [], properties_errors: [] } ] ```                                                                                                                                                                                       
ParameterDescription
step_referenceThe unique identifier for the step. This ID should be used when returning errors for a step.
step_errorsAn array of errors that apply to the entire step.
step_errors.messageAn error message to display at the top of the action configuration pane.
properties_errorsAn array of errors that apply to particular properties.
properties_errors.idThe key of the property that contains the error.
properties_errors.messageAn error message to display for the property.
## Verifying requests For security reasons, your web service should enforce a hash-based message authentication (HMAC) header verification that uses the client secret that you created when you configured your app. The name of the HMAC header is `x-shopify-hmac-sha256`. If you are using a Ruby-based web framework, then the name of the header is `http-x-shopify-hmac-sha256`. When the action runs in a workflow, the automation tool posts the contents (JSON payload and the HMAC header) of the action to the URL that you entered when you created the action in the Partner Dashboard. When your web server receives the POST request, it needs to verify the HMAC header against the JSON payload and your app's API secret. The HMAC verification works the same as [webhooks](/docs/apps/build/webhooks/subscribe/https). Your web server also needs to [verify that the `handle` that's sent in the payload matches the `handle` of the action that you created](#identify-actions). After you've verified the HMAC header, you can process the contents of the payload. For example, you could log the contents of the payload to your web server's console.