Authentication and authorization
This guide introduces the different methods of authenticating and authorizing apps with Shopify’s platform. Make sure that you understand the differences between the types of authentication and authorization methods before you begin your development process.
You can use Shopify CLI to generate a starter app with boilerplate code that handles authentication and authorization. The starter app includes code for an embedded app that follows app best practices:
- Authorizing your app using session tokens and token exchange.
- Installing on stores using Shopify managed installation.
You should use this starter app unless you need to scaffold an app that is not embedded.
Authentication vs. authorization
Anchor link to section titled "Authentication vs. authorization"Authentication is the process of verifying the identity of the user or the app. To keep transactions on Shopify’s platform safe and secure, all apps connecting with Shopify APIs must authenticate when making API requests.
Authorization is the process of giving permissions to apps. When an app user installs a Shopify app they authorize the app, enabling the app to acquire an access token. For example, an app might be authorized to access orders and product data in a store.
Types of authentication and authorization methods
Anchor link to section titled "Types of authentication and authorization methods"The authentication and authorization methods that your app needs to use depends on the tool that you used to create your app, and the components that your app uses.
Authentication
Anchor link to section titled "Authentication"- Embedded apps need to authenticate their incoming requests with session tokens.
- Apps that are not embedded need to implement their own authentication method for incoming requests.
Authorization
Anchor link to section titled "Authorization"Authorization encompasses the installation of an app and the means to acquire an access token.
To avoid unnecessary redirects and page flickers during the app installation process, you should configure your app's required access scopes using Shopify CLI. This allows Shopify to manage the installation process for you.
If you aren't able to use Shopify CLI to configure your app, then your app will install as part of the authorization code grant flow. This provides a degraded user experience.
The following table outlines the supported installation and token acquisition flows for various app configurations.
Whenever possible, you should create embedded apps that use Shopify managed installation and token exchange.
| Type of app | Supported installation flows | Supported token acquisition flows |
|---|---|---|
| Embedded app | ||
| Non-embedded app | ||
| Admin-created custom app |
OAuth 2.0 is the industry-standard protocol for authorizing or giving permissions to apps. The following video illustrates how OAuth works at Shopify. Note that this video was created before token exchange was introduced, and might use the term "OAuth" interchangeably with "authorization code grant."
Getting started
Anchor link to section titled "Getting started"- Authenticate your embedded app using session tokens.
- Authorize your embedded app using a session token with token exchange.
- Authorize your app that is not embedded with authorization code grant.
- Authenticate your app created in the Shopify admin with access tokens.