Perform authenticated requests to 3rd party API On behalf of a logged In user

New Member
2 1 4

Hello everyone,


I'm developing an app that holds secured information (software licenses in my case) which is stored on a 3rd party API Service (say Google Firebase API). On the logged in user account page, I want to perform a SECURED request to my service, to list information stored on the 3rd party service.


The way I expect it to work would be that (for example) a logged in user would have a session token that I can authenticate over my API by performing a private API request to Shopify Admin REST API. So from the liquid template I would perform a request to: `` with `{ token: << logged in session token >> }` and over the API side, I would verify the validity of the token to decide what sort of respond is needed.

So, when logged in customer navigates to: ``, a request would be generated to: `` with info which will allow to validate the customer and to respond with this private information.


Just to confirm. I'm not talking about a private merchant app that is viewed on on `` page, but on PRIVATE information I would like to display SECURELY on the site/template/frontend for logged in customers. I could not find any information regarding this kind of functionality anywhere on the documentation and would like to know if that's possible.


Thanks in advance!

New Member
2 1 4

This is an accepted solution.

For whoever is googling this question in the future, I found a solution.


For unsecured public API calls (say latest tweets from the twitter api), nothing stops you from including any sort of <script> tag on the store front end. The question is how do you perform a secured private api request while not exposing secrets on the frontend. Shopify's solution is using App Proxies. So, the front-end store will perform a request to say `` and this request will be Proxy to a private request between the store backend and your private API. On your private API endpoint, you should validate the request which includes a SHA-256 HMAC digital signature.


More info here:


Notice 1: It took me a second to find the App proxy menu which is not enable by default on an app, Look for "Manage extension areas" on the app settings page.

Notice 2: Your respond could be a HTML liquid template, not just a XML/JSON response, which I find very useful.

New Member
2 0 0

Hi @eladg 

I am virtually in the same situation you are/were. Our store requires customers to log in, and I then want to show secure information on a page within Shopify that was fetched from a 3rd party API.

You said your solution was App Proxies. I was wondering if you would be able to explain how you've implemented your solution, as I can't seem to wrap my head around how the proxy will work.

On Shopify's end, what does the "request to the proxy" look like? Is this something you implement in the page templates? And how do you pass the customer's auth token to your 3rd party endpoint?

Sorry if these are stupid questions, I am still learning my way around Shopify dev.