Getting started with Shopify POS and cart app extensions

This guide describes the different steps that are required to integrate your app with the POS cart app extension.

Configure the app extension from your Partner Dashboard

You can configure the app extension from your Partner Dashboard.


  1. From your Partner Dashboard, click Apps.
  2. Click the name of the app that you want to change.
  3. Click Extensions.
  4. Click Shopify POS.
  5. Click Manage POS cart app extension.
  6. Enter the URL path that will be used to build your POS cart app extension endpoints.
  7. Click Save.

For example, if your app's base URL is and your URL path is pos-extension-api, then the extension will uses the following endpoints:

Create the endpoints

Before your app can receive communication from Shopify through an app extension, you need to host a series of standardized API endpoints on your app's primary domain. These endpoints are called when your app extension is rendered and when there's a related action requested from your app.

Endpoint requirements

The requirements for the POS cart app extension are as follows:

rule/concern type/requirement
API format REST
Content type JSON
Security mechanism HMAC/Signed requests. See Using webhooks to learn how to verify a webhook created through the API.
Protocol HTTPS (app domain requires valid SSL certificate)

Responding to requests

All endpoints must respond within three seconds, otherwise Shopify will timeout the call and return an error to the merchant. This is to prevent merchants having a slow experience in Shopify POS.

Base endpoint

Your app needs to support three API endpoint calls for the POS cart app extension. To do this, you need to provide a path segment that is appended to the app's base URL to form the complete URL called by Shopify. This is done when setting up the app extension in the Partner Dashboard.

Implement verification

App extension requests by Shopify can be verified by calculating a digital signature.

Each request includes a base64-encoded X-Shopify-Hmac-SHA256 header, which is generated using the app's shared secret along with the data sent in the request.

To verify that the request came from Shopify, compute the HMAC digest and compare it to the value in the X-Shopify-Hmac-SHA256 header. If they match, you can be sure that the app extension request was sent from Shopify.

For more information see Using webhooks to learn how to verify a webhook created through the API. This is the same procedure to be followed for app extensions.