Getting started with Shopify POS and cart app extensions
This guide describes the different steps that are required to integrate your app with the POS cart app extension.
Configure the app extension from your Partner Dashboard
You can configure the app extension from your Partner Dashboard.
- From your Partner Dashboard, click Apps.
- Click the name of the app that you want to change.
- Click Extensions.
- Click Shopify POS.
- Click Manage POS cart app extension.
- Enter the URL path that will be used to build your POS cart app extension endpoints.
- Click Save.
For example, if your app's base URL is
https://myapp.com and your
URL path is
pos-extension-api, then the extension will uses the following endpoints:
https://myapp.com/pos-extension-api/promotions https://myapp.com/pos-extension-api/perform_action https://myapp.com/pos-extension-api/revert_action
Create the endpoints
Before your app can receive communication from Shopify through an app extension, you need to host a series of standardized API endpoints on your app's primary domain. These endpoints are called when your app extension is rendered and when there's a related action requested from your app.
The requirements for the POS cart app extension are as follows:
|Security mechanism||HMAC/Signed requests. See Using webhooks to learn how to verify a webhook created through the API.|
|Protocol||HTTPS (app domain requires valid SSL certificate)|
Responding to requests
All endpoints must respond within three seconds, otherwise Shopify will timeout the call and return an error to the merchant. This is to prevent merchants having a slow experience in Shopify POS.
Your app needs to support three API endpoint calls for the POS cart app extension. To do this, you need to provide a path segment that is appended to the app's base URL to form the complete URL called by Shopify. This is done when setting up the app extension in the Partner Dashboard.
App extension requests by Shopify can be verified by calculating a digital signature.
Each request includes a base64-encoded X-Shopify-Hmac-SHA256 header, which is generated using the app's shared secret along with the data sent in the request.
To verify that the request came from Shopify, compute the HMAC digest and compare it to the value in the X-Shopify-Hmac-SHA256 header. If they match, you can be sure that the app extension request was sent from Shopify.
For more information see Using webhooks to learn how to verify a webhook created through the API. This is the same procedure to be followed for app extensions.