Blog
Shopify App Authentication Explained (OAuth, Tokens)

For any Shopify app, the ability to securely access and modify a merchant's store data is its most fundamental requirement. This critical process is governed by authentication—the mechanism that verifies an app's identity and grants it specific permissions. Without a robust and secure authentication system, your app cannot function, and more importantly, it poses a significant risk to the merchants who entrust you with their business data.
The cornerstone of this process in the Shopify ecosystem is OAuth 2.0, an industry-standard protocol for authorization. Understanding how OAuth works, how to handle access tokens securely, and the best practices surrounding the entire authentication flow is not just a technical detail; it is essential for building a trustworthy and successful Shopify app. This guide will demystify Shopify app authentication, breaking down the concepts of OAuth and access tokens, and provide a clear roadmap for implementing a secure authentication process in your application.
Why Authentication is Crucial for Shopify Apps
Authentication is the gatekeeper for your application. It’s the process that allows a merchant to say, "I trust this app and grant it permission to perform specific actions on my behalf." This trust is paramount. A security breach originating from an app can have devastating consequences for a merchant, including data leaks, financial loss, and a complete loss of customer confidence. For developers, implementing authentication correctly offers several key benefits:- Security: It ensures that only authorized applications can access a store’s data, protecting both the merchant and their customers.
- Permission Scoping: It allows merchants to see exactly what data the app wants to access (e.g., read products, write orders) and make an informed decision before granting consent. This transparency builds trust.
- Identity: It provides your app with a verifiable identity for each store, allowing you to manage multiple installations in a multi-tenant environment.
- Compliance: Proper authentication is a core requirement for passing Shopify’s rigorous app review process and for being listed on the Shopify App Store.
Understanding OAuth 2.0: The Heart of Shopify Authentication
OAuth 2.0 is an open standard for access delegation. In simpler terms, it's a process that allows an application (your app) to obtain permission to act on behalf of a user (the merchant) without ever needing the user's password. Imagine you're staying at a hotel. To access your room, you don't get a master key to the entire building; you get a key card that only works for your specific room and only for the duration of your stay. OAuth 2.0 works in a similar way. When a merchant installs your app, they aren't giving you their Shopify login credentials. Instead, they are directed to Shopify to approve a specific set of permissions. If they agree, Shopify gives your app a special "key card"—an access token—that is specific to that store and limited to the permissions they approved.The Key Players in the OAuth Flow
To understand the process, you need to know the actors involved:- Resource Owner: The merchant. They own the store data and have the authority to grant access to it.
- Client Application: Your Shopify app. It wants to access the Resource Owner's data.
- Authorization Server: Shopify's OAuth server. It’s responsible for authenticating the merchant and obtaining their consent.
- Resource Server: Shopify's API server. It holds the store data (products, orders, etc.) and validates the access token before responding to requests from your app.
The OAuth 2.0 Handshake: A Step-by-Step Guide
The authentication process, often called the "OAuth dance" or "handshake," is a multi-step sequence of redirects and requests. Let's walk through it.Step 1: The App Installation Request
It all begins when a merchant clicks the "Add app" or "Install" button from the Shopify App Store or a direct installation link. This action initiates the OAuth flow by redirecting the merchant's browser to your app's installation endpoint.Step 2: The Authorization Redirect
Your app's first job is to construct a specific URL and redirect the merchant to Shopify's authorization endpoint. This URL contains several important query parameters:- client_id: Your app's unique API key, obtained from your Partner Dashboard.
- scope: A comma-separated list of permissions your app is requesting (e.g., read_products, write_orders). It's crucial to only request the scopes you absolutely need.
- redirect_uri: The URL in your app where Shopify should send the merchant back to after they approve or deny the installation. This URI must be whitelisted in your Partner Dashboard.
- state: A unique, randomly generated string, also known as a nonce (number used once). You generate this value and temporarily store it (e.g., in the user's session) before redirecting. This is a critical security measure to prevent Cross-Site Request Forgery (CSRF) attacks.
- grant_options[]: For online access mode, this should be set to per-user.
Step 3: Merchant Grants Permission
Shopify takes over at this point. It presents a consent screen to the merchant, clearly listing your app's name and the permissions (scopes) it is requesting. The merchant can review this information and choose to "Install app" (granting permission) or "Cancel." This step is handled entirely by Shopify, ensuring the merchant's credentials are never exposed to your app.Step 4: Shopify Issues an Authorization Code
If the merchant approves the installation, Shopify redirects them back to the redirect_uri you specified in Step 2. Appended to this URL are several parameters:- code: A temporary, one-time-use authorization code.
- hmac: A hash-based message authentication code. You use this to verify that the request genuinely came from Shopify and wasn't tampered with.
- shop: The myshopify.com URL of the store that just installed the app.
- state: The same nonce value you sent in Step 2.
- Verify the state: Check that the state value returned by Shopify matches the one you stored in the session. If they don't match, the request may be fraudulent, and you must reject it.
- Verify the HMAC: Remove the hmac parameter from the query string, and use the remaining parameters to compute your own HMAC signature using your app's secret key. If your computed signature matches the hmac value from Shopify, the request is authentic.
Step 5: The App Exchanges the Code for an Access Token
After verifying the request's authenticity, your app makes a final, crucial request. This is a server-to-server POST request from your app's backend directly to Shopify's oauth/access_token endpoint. This request must include:- client_id: Your app's API key.
- client_secret: Your app's secret key.
- code: The temporary authorization code you just received.
Step 6: Shopify Returns the Access Token
If the client_id, client_secret, and code are all valid, Shopify’s server responds with a JSON payload containing the holy grail: the access token. The response will look something like this: { "access_token": "f85632530c2323c6f028469fc25b7bff", "scope": "read_products,read_orders" } This access_token is the permanent key that your app will use to make authenticated API calls on behalf of that store.Storing and Managing Access Tokens
Once you have the access token, you must store it securely. This token is equivalent to a password for that specific store. If it leaks, an attacker could gain full access to the store's data within the scopes you were granted.Best Practices for Token Storage
- Store Tokens in a Secure Database: Create a table in your database (e.g., a shops or installations table) to store the access token along with the shop's identifier (shop_name.myshopify.com).
- Encrypt Tokens at Rest: Do not store access tokens in plain text. Use strong, industry-standard encryption (like AES-256) to encrypt the tokens before saving them to your database. The encryption key itself should be managed securely using a secret management service (e.g., AWS KMS, Azure Key Vault, HashiCorp Vault).
- Associate Tokens with Shops: Your data model should tightly couple the access token with the specific shop it belongs to. Every API request your app makes must retrieve the correct token for the shop it is acting upon.
Get a FREE Audit
We'll perform a comprehensive SEO, AEO, GEO & CRO audit of your website — completely free — and show you exactly how to outrank your competitors.
Don't have a site yet? Get in touch →
Online vs. Offline Access: Two Types of Tokens
Shopify provides two different "access modes" for tokens, and choosing the right one is critical.Offline Access Tokens
- Duration: Permanent (long-lived). They do not expire unless the merchant uninstalls the app.
- Use Case: This is the most common type of token, used for apps that need to perform background tasks when the merchant is not actively using the app. Examples include syncing inventory, processing order webhooks, or generating nightly reports.
- How to get it: This is the default token type you receive if you don't specify any grant_options.
Online Access Tokens
- Duration: Temporary (short-lived). They expire after a set period (e.g., 24 hours) or when the user logs out.
- Use Case: Used for apps that only perform actions while a specific user is logged in and actively using the app. It's designed to be tied to an individual user's session. This is useful when you need to check the permissions of the specific user interacting with your app (e.g., distinguishing between a store owner and a staff member with limited permissions).
- How to get it: You must include grant_options[]='per-user' in the initial authorization request. The JSON response will include a refresh_token and an expires_in field, and the token will be associated with the specific user who authorized it.
Making Authenticated API Calls
Once you have a securely stored access token, you can finally interact with the Shopify API. To make an authenticated request, you must include the access token in the request headers. The header should be formatted as follows: X-Shopify-Access-Token: {access_token} For example, to get a list of products from a store, you would make a GET request to https://{shop_name}.myshopify.com/admin/api/2025-01/products.json with the X-Shopify-Access-Token header set to that shop's token. If the token is valid and has the read_products scope, the API will return the product data. If the token is invalid or missing, you will receive a 401 Unauthorized error.Handling App Uninstallation
When a merchant uninstalls your app, Shopify sends a webhook to your app's mandatory app/uninstalled endpoint. This is your signal to perform cleanup. Your app must:- Verify the Webhook: Just like the OAuth callback, you must verify the HMAC signature of the uninstallation webhook to ensure it is a legitimate request from Shopify.
- Delete the Store's Data: Invalidate and permanently delete the access token associated with that shop. This is a critical security step.
- Purge All PII: As per GDPR and other privacy regulations, you must delete all personally identifiable information (PII) you have stored for that merchant and their customers.
Conclusion: Authentication as a Foundation of Trust
Shopify app authentication is more than just a technical hurdle; it's the foundation upon which you build a relationship of trust with merchants. A secure and correctly implemented OAuth 2.0 flow demonstrates your commitment to protecting their data and respecting their privacy. By following the steps outlined in this guide—properly managing the OAuth handshake, verifying all incoming requests, securely storing and encrypting access tokens, and handling uninstalls gracefully—you create a robust and resilient application. This not only satisfies Shopify's stringent requirements but also gives merchants the confidence they need to integrate your app into their business. As you market your app, a strong security posture can be a key selling point, and having a well-optimized site with clear messaging around security will improve your visibility and conversion rates through SEO. Building a secure authentication system can be complex, but it is a non-negotiable part of professional app development. If you need help architecting or implementing a secure authentication solution for your Shopify app, contact eSEOspace. Our team of expert developers can guide you through the process, ensuring your app is built on a foundation of security and trust.Make Your Website Competitive.
Leverage our expertise in Website Design + SEO Marketing, and spend your time doing what you love to do!






