All Tutorials

Migrate from legacy authentication to OAuth

All Tutorials

Migrate from legacy authentication to OAuth

Migrate from legacy authentication to OAuth

Currently Shopify uses OAuth 2.0 as the authentication standard for Shopify applications, but some Shopify applications are still using our legacy authentication system. It is important that developers update their applications to use OAuth, as our legacy authentication system will be deprecated and become unusable on May 7th, 2017.

OAuth authentication uses a token generated from your app's pre-existing legacy authentication. The algorithm is a simple MD5 of the sum of the application_secret + user_legacy_token. In Ruby, the code would be like this:

Digest::MD5.hexdigest(app_secret + merchant_current_legacy_token)

In PHP, the code would be like this:

<div class="code-block"><div class="code-block-header" aria-label="Code block"><button class="clipboard copy code-block-header__icon--copy" data-clipboard-target="#copy0JDo9LW718o7Ug" id="clickdNF36A0" aria-label="Copy to clipboard">Copy</button></div><div class="highlight copy"><pre><code class="language-php copy" data-lang="php" id="copy0JDo9LW718o7Ug"><span class="nb">md5</span><span class="p">(</span><span class="nv">$app_secret</span> <span class="mf">.</span> <span class="nv">$merchant_current_legacy_token</span><span class="p">)</span></code></pre></div></div>

The returned result will be the OAuth token. You can now perform an authenticated API request to the merchant's shop by providing the generated token in the X-Shopify-Access-Token header.

We strongly suggest that the transition occurs in small steps:

  1. Create a new column in the database as oauth_token (or any other name) and apply the digest algorithm for each merchant. Test to see if the calculation was successful.
  2. Locally, update your app's code to use OAuth (this means updating the library of whatever your app needs) and make it use the new column (oauth_token) as the api_token.
  3. Push the new version of your app and change the app to use OAuth in the Shopify app panel at the same time.
  4. Delete the old column storing the old legacy token.

Your merchants should not notice anything but there might be a few seconds of downtime while the transition to OAuth occurs.

Keep in mind that transitioning to OAuth will grant these permissions to your app:

  • write_content
  • write_themes
  • write_products
  • write_customers
  • write_orders
  • write_script_tags
  • write_shipping

You can request an access scope that isn't listed above, but Shopify will prompt the merchant to re-authorize the app. This is a similar process to installing a new app.