Get and store the shop origin
To keep your embedded apps secure, you are required to lock all communications to the shop origin. The shop origin is the hostname for the current shop, which consists of the shop name followed by
myshopify.com. The shop origin for the current session is contained in the
host URL query parameter that’s appended to your application URL when your app is loaded inside the Shopify admin.
host parameter is an encoded version of the shop origin that is required since App Bridge version 2.0. If you are using App Bridge version 1.0, please use
Several libraries require the shop origin, including Shopify App Bridge, Polaris, and the EASDK. It’s a good idea to retrieve it and then store it for the duration of the session.
Getting and storing the shop origin
The process of getting and storing the shop origin is different depending on the library that you’re using for your app.
If you’re using the
shopify_app gem, then the
host parameter is automatically parsed from the authentication URL and stored in the session under the
:shopify_domain key (for example,
Getting and storing the shop origin manually
If you’re unable to use any of the Shopify-provided libraries listed above, then you need to parse the
host parameter out of the authentication URL and store it for later use.
To get the
host parameter, parse it out of the confirmation redirect URL during the installation confirmation step of the authorization process.
After you’ve got the
host parameter, you need to store it for the duration of the user session. It’s best to use the session mechanism of your preferred framework. Otherwise, you can store the parameter in an HTTP-only cookie.
Each embedded application URL includes an
hmac query parameter that can be used to authenticate the request from Shopify.
To learn more about this process, see the documentation about verifying requests from Shopify.