Hi, we have nearly completed an integration with a sales channel using permalinks.
We have been advised to add the access token to the permalink for attribution as detailed here: document
However, being a sales channel posts to generate a new access token at /admin/api/2020-07/storefront_access_tokens.json return the following error:
"errors": "App must be extendable to create a storefront access token."
We already have an access token per store, however if we expose this on the front-end this would mean that any user of our sales channel could copy the token and use it to maliciously abuse the Shopify API? (We currently have these tokens hidden behind a proxy).
What is the "correct" way to implement attribution in a permalink for a sales channel?
Solved! Go to the solution
This is an accepted solution.
With some trial and error we've realised that you can get permission to the access token endpoint by requesting unauthenticated access scopes (which don't really have anything to do with the actual purpose of the token), these tokens can safetly be embedded in the URL.