Create action endpoints
Before your app can receive communication from Flow actions, you need to create one or more standardized API endpoints on your web server. Review the information for each endpoint to understand its requirements, the format of the payload, and the expected response. You'll also learn how to avoid processing duplicate requests, identify an action by its ID, and verify requests for security purposes.
| Endpoint | Purpose |
|---|---|
| Flow action execution | The endpoint where the automation tool sends your action's payload. The payload contains data that you can use to execute the action in your app. |
| Custom configuration page preview | An endpoint that provides data about your custom configuration page to display in the automation tool. This endpoint is required if you want to use a custom configuration page. |
| Custom validation | An endpoint that validates the contents of merchant-configurable properties in an action payload when an action is saved. This endpoint is required if you want to use a custom configuration page. |
General endpoint requirements
Anchor link to section titled "General endpoint requirements"The requirements for Shopify Flow action endpoints are as follows:
| Rule / concern | Type / requirement |
|---|---|
| API format | REST |
| Content type | JSON |
| Security mechanism | HMAC / Signed requests |
| Protocol | HTTPS (app domain requires valid SSL certificate) |
Flow action execution
Anchor link to section titled "Flow action execution"When a workflow that contains your action is executed, Flow sends an HTTP request to your Flow action execution endpoint (runtime URL). The request contains a payload that matches the payload schema that you configured for your action.
The payload contains the following parameters:
| Property Name | Property Usage |
|---|---|
shop_id |
The ID of the store. |
shopify_domain |
The myshopify.com domain of the store. |
action_run_id |
An ID that represents an instance of an action being run. Learn more. |
handle |
The extension’s handle. We recommend using this property to identify your actions. |
step_reference |
A unique ID for the step within a workflow. This property only appears if you’ve set a Custom Configuration Page. |
action_definition_id |
A unique ID for the action. The ID is based on the action name in the Partner Dashboard. |
properties |
The fields that you selected as part of the action configuration. |
To learn how to configure the payload schema, refer to Shopify Flow actions.
Expected response
Anchor link to section titled "Expected response"After the automation tool sends a POST request to your web server, it waits for a maximum of 10 seconds for an HTTP status code.
If after 10 seconds the automation tool hasn't received a response from your web server, then the automation tool closes the connection to your web server and resends the request later.
When the automation tool receives a response, it processes the codes as displayed in the following table:
| Status codes | Description |
|---|---|
| 200 Success | The automation tool assumes that the POST request has been processed by your web server. |
| 202 Success | The automation tool assumes that the POST request has been accepted but not processed by your web server. The automation tool will resend the POST request at increasing intervals for up to 36 hours. |
| 4XX Client errors |
If your web server sends a 429 status code without a If your web server sends a 429 status code with a
If your web server sends any other 4XX code, then the automation tool assumes that there was a failure and it doesn't resend the POST request. Merchants see a notification in the automation tool that includes the raw contents of your web server's response. Example: You can provide a merchant-friendly description of the error by adding a key named Example: |
| 5XX Server errors | The automation tool resends the POST request at increasing intervals for up to 36 hours. |
| Other status code | If your web server returns a code that isn't described in this table, then the automation tool assumes that there was a failure and it doesn't resend the POST request. |
Prevent apps from processing duplicate requests
Anchor link to section titled "Prevent apps from processing duplicate requests"Each request from an automation workflow contains an action_run_id that's unique to the associated action run. This ID is included in the body of the request.
You can use action_run_id as an idempotency key to check if the request is unique. In some cases, your app could receive an identical request more than once. For example, the automation tool might resend a request because it didn't receive your response in time. Your app can store the idempotency key in a cache with a set expiry time to avoid reprocessing duplicate requests.
Identify actions
Anchor link to section titled "Identify actions"The handle property is how you identify the action for processing when your web server receives a request from Flow during workflow execution.
Custom configuration page preview
Anchor link to section titled "Custom configuration page preview"An endpoint that provides data about your custom configuration page to display in the automation tool. This endpoint is required if you want to use a custom configuration page. Using the endpoint, you can dynamically set the following information:
- The field’s label
- A text preview
- A last updated at timestamp
- An image preview
- The text used by the button that redirects to the custom configuration page
The payload contains the following parameters:
| Parameter | Description |
|---|---|
shop_id |
The ID of the store. |
shopify_domain |
The myshopify.com domain of the store. |
handle |
The extension’s handle. We recommend using this property to identify your actions. |
step_reference |
A unique ID for the step within a workflow. |
locale |
The locale of the store making the request, in ISO format. |
properties |
The fields that you selected as part of the action configuration. |
Expected response
Anchor link to section titled "Expected response"
Other than text_preview, all fields are nullable.
| Parameter | Description | |
|---|---|---|
| 1 | label_text |
A title for the custom configuration page. If no value is specified, then the label text defaults to Configuration Page Preview. |
| 2 | text_preview |
A preview that indicates the resource that's tied to the step. For example, in the case of an email content editor, this might be a preview of the email text. This field is required. |
| 3 | button_text |
The text for the button that the merchant clicks to access the custom configuration page. If no value is specified, then the label text defaults to Edit. If the value for `button_text` is longer than 23 characters, then the label is truncated to twenty characters with an ellipsis. |
image_preview |
The details of the image. | |
| 4 | image_preview.url |
The URL for a preview image of the custom configuration page. The image should be between 500px and 600px wide, and 100KB or less. There is no maximum height. |
image_preview.thumbnail_url |
The URL for a thumbnail version of the preview image. This image is not currently used in the user interface. |
|
image_preview.alt |
The alt text for the preview image. This text appears if your image fails to render, and is accessible to screen readers. | |
| 5 | last_updated_at |
The date and time that the resource was last updated, in IS0-8601 format. |
Custom validation
Anchor link to section titled "Custom validation"An endpoint that validates the contents of merchant-configurable properties in an action payload when an action is saved. This endpoint is required if you want to use a custom configuration page.
The request contains a payload that matches the payload schema you configured for your action.
The payload contains the following parameters:
| Parameter | Description |
|---|---|
shop_id |
The ID of the store. |
shopify_domain |
The myshopify.com domain of the store. |
handle |
The extension’s handle. We recommend using this property to identify your actions. |
locale |
The locale of the store, in ISO format. |
steps |
An array of all of the steps to validate. Each child step object represents a separate action on the merchant’s workflow. |
steps.step_reference |
The unique identifier for the step. This ID should be used when returning errors for a step. |
steps.properties |
An object containing the properties specified on the action. Merchant-configurable properties: These properties are passed as strings, with the following exceptions:
Shopify properties:
The path to the value for the related commerce object in the workflow environment. For example, Example 1: Customer ID is available in the workflow environment
Example 2: Customer ID isn't available in the workflow environment
If a property is marked as optional, then the workflow tool won't validate the presence of the commerce object, and will only rely on external validation. The path to the value for the commerce objects is still returned as a path, but Shopify can't guarantee their presence at runtime. If you need a commerce object to be present at runtime, then you should mark it as required. This allows the workflow tool to assess the presence of the commerce object and return any errors to the editor. Example 3: Customer ID might be available in the workflow environment (for example, when using a custom trigger and an order step)
|
Expected response
Anchor link to section titled "Expected response"Your app should return an array of the steps that you validated, which are identified by their step_reference. If there are any validation errors, then specify them in a step_errors array. The error messages that return display to the merchant in the action configuration pane in Shopify Flow.
| Parameter | Description |
|---|---|
step_reference |
The unique identifier for the step. This ID should be used when returning errors for a step. |
step_errors |
An array of errors that apply to the entire step. |
step_errors.message |
An error message to display at the top of the action configuration pane. |
properties_errors |
An array of errors that apply to particular properties. |
properties_errors.id |
The key of the property that contains the error. |
properties_errors.message |
An error message to display for the property. |
Verifying requests
Anchor link to section titled "Verifying requests"For security reasons, your web service should enforce a hash-based message authentication (HMAC) header verification that uses the client secret that you created when you configured your app.
The name of the HMAC header is x-shopify-hmac-sha256. If you are using a Ruby-based web framework, then the name of the header is http-x-shopify-hmac-sha256.
When the action runs in a workflow, the automation tool posts the contents (JSON payload and the HMAC header) of the action to the URL that you entered when you created the action in the Partner Dashboard. When your web server receives the POST request, it needs to verify the HMAC header against the JSON payload and your app's API secret. The HMAC verification works the same as webhooks.
Your web server also needs to verify that the handle that's sent in the payload matches the handle of the action that you created.
After you've verified the HMAC header, you can process the contents of the payload. For example, you could log the contents of the payload to your web server's console.