API security- limit API access to certain IP's

deonswart
Tourist
11 0 0

Hi

Does anyone know if its possible to limit the API access to a shop only to certain IP addresses.

For example, I have a private app that makes API calls, so ideally Id like to limit the access to that websites IP only.

If the API key is compromised in some way, it then wouldn't matter.

There are so many scoundrels out there!

thanks

Replies 3 (3)

Gregarican
Shopify Partner
1033 86 285

Do you mean that you would like to restrict the inbound IP's that are accessing your private app, or restrict Shopify's side so that only your private app is accessing the Shopify API? If it's the former then your private app's hosting side could enforce IP restrictions. If it's the latter, then that is more challenging. Since your private app hitting Shopify's API on the client side looks like the actual user's origin endpoints. 

What I do in my use cases where I want to restrict things is implement a Shopify app proxy --> https://shopify.dev/tutorials/display-dynamic-store-data-with-app-proxies. That way my private apps behave like a virtual extension of the Shopify store based on the URL's being proxied. And I can validate access based on HMAC signature validation. Maybe that's a step in the right direction?

deonswart
Tourist
11 0 0
Thanks very much, yes it is the latter example, and that is a step in the
right direction.
Interestingly the tutorial link you posted says proxies cannot be used by
private apps - but clearly you have managed to get this right?
Furthermore, do you know if there is some way to view a log of API activity?
Gregarican
Shopify Partner
1033 86 285

The app I have that's working through the proxy is a private app. My app is essentially middleware, so my logs are located there. In my case, it's a Microsoft IIS service, so I just peek into the logs within there.