Authenticate requests between an extension and an app's backend server
App Bridge Admin apps use session tokens to authenticate requests between the extension and your app's backend server. Session tokens are secure packets of data about a merchant session in the Shopify Admin, similar to cookies. A session token provides the information required to validate that a request is coming from Shopify, and also provides the IDs of the user and shop. Learn more about session tokens.
This tutorial describes how to authenticate requests between your extension and your app's backend server using session tokens.
What you'll learn
Anchor link to section titled "What you'll learn"In this tutorial, you'll learn how to do the following tasks:
- Make a request to your app's server using a session token
- Receive a request and decode the session token
- Validate a session token
Requirements
Anchor link to section titled "Requirements"- Complete the Getting started tutorial.
- Familiarize yourself with data and UI component rendering and extension points.
Step 1: Make requests to your app’s server using a session token
Anchor link to section titled "Step 1: Make requests to your app’s server using a session token"When an extension built with App Bridge Admin loads in the Shopify Admin, you can fetch the session token using the session token API. Include the token with every request that you make to your app's backend server. The token is signed using a shared secret so that your app's backend can verify if the request is valid.
Configure your app's backend server
Anchor link to section titled "Configure your app's backend server"Extensions built using App Bridge Admin are hosted on Shopify's servers. To receive requests from your extension, you need to enable cross-domain requests on your app's backend server.
If you're using Rails, then add the following code in the config/application.rb file to enable cross-domain requests:
Fetch a session token from the Shopify Admin
Anchor link to section titled "Fetch a session token from the Shopify Admin"In your extension, use the session token API to fetch a new session token. Session tokens expire every minute, so always fetch a new token before making a request to your app's backend server.
Make a request to your app's backend server
Anchor link to section titled "Make a request to your app's backend server"After your extension has received a session token, you can include it in requests to your server. How you include the session token in the request is up to you, but we suggest including it in the request header as follows:
For information on how to set up your requests for each extension mode, refer to Create and manage a product subscription app extension.
Step 2: Receive a request and decode the session token
Anchor link to section titled "Step 2: Receive a request and decode the session token"When your server receives a request from your extension that includes a session token, you need to decode it. Session tokens use the JSON Web Token (JWT) format. Libraries to encode and decode JWT are available for all common server frameworks.
- Pass the following parameters to the JWT
decodemethod:
- The session token received in your extension's request
- The client secret for your app
The HS256 algorithm
The session token contains the details of the current shop and user, including the following information:
- Your shop's domain
- Your app’s client ID
- The user ID
You can use this information to establish per-user sessions, similar to an authentication cookie.
For information on the session token structure, refer to Anatomy of a session token.
Step 3: Validate a session token
Anchor link to section titled "Step 3: Validate a session token"Validate session tokens using one of the following methods:
- Manually validate session tokens
- Use the shopify app gem
- Configure a Rails app to perform the validation.
Manually validate a session token
Anchor link to section titled "Manually validate a session token"To verify that a session token is coming from Shopify, you can encode a new session token using your app’s shared secret and compare it to the encoded token received from your extension.
An encoded JWT is a string with the following structure:
Using the SHA-256 algorithm, hash the decoded
{header}and{payload}values from the extension session token.Sign the string using JWT.
Specify the HS256 algorithm and use the app’s secret as the signing key.
Base64url-encode the result.
Compare the new session token with the session token received from your extension.
If the session tokens are identical, then the request came from Shopify.
Use the Shopify App gem to validate a session token
Anchor link to section titled "Use the Shopify App gem to validate a session token"If your server uses the Shopify App gem to validate session authentication for GraphQL requests, then requests containing a valid JWT token in the request header will automatically be authorized. An error is raised if an invalid token is received.
Configure a Rails app to validate a session token
Anchor link to section titled "Configure a Rails app to validate a session token"You can skip the following steps if any of the following criteria are met:
- The app uses Shopify App gem version 13.1.0 or newer.
- The server doesn’t use Rails.
- The server is already configured to process GraphQL requests using the Shopify App gem.
In
config/routes.rb, add the following route:In the
app/controllers/graphql_controller.rbfile, replace the content with the following code:
Step 4: Making requests to Shopify’s Admin API
Anchor link to section titled "Step 4: Making requests to Shopify’s Admin API"To communicate with the Shopify Admin API, your extension needs to make requests through your app's backend server. You need to build an API that your extension can make requests to, which in turn makes requests to the Shopify Admin API.