Authentication for a "private app"

Lamont_Adams
Shopify Partner
1 0 0

Hi,

I'm engaged in building an app that's responsible for fetching a list of currently open orders from a single shop to feed to into an external system (this is single-use and will "pull" only so a full-on web stack would be overkill). I've been to my partner portal, created a development shop and generated private API keys.

What do I do with them?

I understand private apps don't authenticate through OAuth, but I'm not able to find any information on excatly how to authenticate using the private keys. All the Authentication links I follow in the documentation wind up talking about OAuth specifically and if they mention the private app process at all they point me back to steps for generating the keys.

Google found me a post on these forums (https://ecommerce.shopify.com/c/shopify-apis-and-technology/t/private-apps-authentication-help-14048...) that's marked "Outdated" and links to a github repository for a PHP library that's no longer maintained. So I'm leery about any information I find there.

I assume I need to do something like what's described here?

https://help.shopify.com/api/tutorials/building-public-app#authenticating

To obtain the access token, send a POST request to https://<shop>/admin/oauth/access_token where shop is the domain of the shop where the application is being installed (e.g. test-shop.myshopify.com). The body of the POST request will contain the API key for the application, the application secret key, as well as the code provided in the original request parameters.

But I'm at a loss as to what I'm supposed to use as "the code provided in the original request parameters." All I have are the key, password, and secret from my private portal. Where do I get this code?

Thanks

 

EDIT: After looking over the PHP source at https://github.com/notmaintained/shopify_api/blob/master/client.php and https://github.com/phpish/shopify/blob/master/shopify.php (I'm C# native but I groked most of it) it looks like I need to make a web request to a URL like: https://{apiKey}:{password}@ignew-test.myshopify.com/ with a json content-type header and I should get back some sort of JSON response? Is that correct?

I've tried making a GET and a POST to this URL and I get a 302 redirect to ignew-test.myshopify.com/password in both cases. What am I missing?

 

 

0 Likes
Kraken42
Explorer
259 0 24

Set them in the credentials in the http object before making the call.

 

 

0 Likes
Jamie_D_
Shopify Staff (Retired)
Shopify Staff (Retired)
531 1 99

Hi Lamont,

For a private application for a single shop, you don't need to generate credentials on your partner account, you should generate these credentials in the shop admin.

See this guide: https://help.shopify.com/api/guides/api-credentials#generate-private-app-credentials

The endpoint you are requesting should be formatted like this: https://api_key:password@shop-name.myshopify.com/admin/products.json

Where products.json can be any of the endpoints described in the API Reference.

 

 

0 Likes
Pogodan
Shopify Expert
76 0 11

Lamont, in response to your edit - the format "https://api_key:password@shop-name.myshopify.com/admin/products.json" works in some browsers / HTTP libraries because they support automatic translation of the api_key:password@host format into basic authentication.

If your HTTP library doesn't support this automatically, you'll need to look into how to set basic auth in the HTTP headers.

P.S. If you're already switching from familiar C# to a new language for this project, I'd recommend Ruby which has likely the best Shopify library support & documentation.

Pogodan | https://experts.shopify.com/pogodan-dev
0 Likes
MozzoERP
Shopify Partner
65 3 9

I realize this is an old post, but it come up in Google as I searched for how to authenticate a private app with an access token, which is possible and is not included in any of these answers.

In our case, we use C# and ShopifySharp and were looking to create a Webhook and their WebhookService only takes an accessToken as a parameter, not user/pwd. 

You can use a token only and it is the value listed in the Shopify Admin API's Password field that you use as the Token:

From: https://shopify.dev/tutorials/authenticate-a-private-app-with-shopify-admin#shopify-access-token

Private apps can authenticate with Shopify by including the request headerX-Shopify-Access-Token: {access_token}, where {access_token }is replaced by your private app's Admin API password.

Hope this helps some other Googler

Chad Richardson
Mozzo Software - Modular Software that grows with you from solopreneur to a 200 person mega team. Why keep outgrowing your Shopify Apps? Start with us, and just use the modules you need, then add more as you grow. http://MozzoERP.com
0 Likes