Get and store the shop origin
To keep your embedded apps secure, you are required to lock all communications to the shop origin. The shop origin is the hostname for the current shop, which consists of the shop name followed by
myshopify.com. The shop origin for the current session is contained in the
shop URL query parameter that’s appended to your application URL when your app is loaded inside the Shopify admin.
Several libraries require the shop origin, including Shopify App Bridge, Polaris, and the EASDK. It’s a good idea to retrieve it and then store it for the duration of the session.
Getting and storing the shop origin
The process of getting and storing the shop origin is different depending on the library that you’re using for your app.
If you’re using
koa-shopify-auth, then the
shop parameter is automatically parsed from the authentication URL and stored in the
context session under the
shop key (for example,
If you’re using the
shopify_app gem, then the
shop parameter is automatically parsed from the authentication URL and stored in the session under the
:shopify_domain key (for example,
Getting and storing the shop origin manually
If you’re unable to use any of the Shopify-provided libraries listed above, then you need to parse the
shop parameter out of the authentication URL and store it for later use.
To get the
shop parameter, parse it out of the confirmation redirect URL during the installation confirmation step of the authorization process.
After you’ve got the
shop parameter, you need to store it for the duration of the user session. It’s best to use the session mechanism of your preferred framework. Otherwise, you can store the parameter in an HTTP-only cookie.
Each embedded application URL includes an
hmac query parameter that can be used to authenticate the request from Shopify.
To learn more about this process, see the documentation about verifying requests from Shopify.