I've build my own app which acts as a fulfillment service.
I have an install flow done, however due to the implementation i'm going for I need both an offline and online token at the point that the user installs my app. Currently I cannot see how this is possible without having two separate flows.
I want an online token so I can use the user info that comes with it for a better sign-up experience but I need the persistence of an offline token to handle webhooks over a long period of time.
Is this at all possible?
Solved! Go to the solution
This is an accepted solution.
Your main flow should still request the persistent (offline) token during installation. As online token is linked to the user session and has a lifespan matched to the user's web session you'll have to go through the authorization process with access_mode = per-user each time your application is loaded.
- It's recommended to keep this type of access token in a user's temporary session storage, backed by a cookie in the user's browser, and make API requests using this access token in response to the user's requests.
- If your application implements caching to avoid fetching data from Shopify too often, then make sure to scope the cache to each individual user. Since online access mode is guaranteed to respect each user's permission level, caching API responses irrespective of which user's access token was used would most likely result in an inconsistent cache.
- When this mode is requested and the application is not already installed in a store, the user installing the application must have access to all required scopes, or the installation will fail.
- After your app is installed, requesting this access mode will always return an access token restricted to the scopes available to the user. The application can inspect scope and associated_user_scope to determine if a user is lacking certain permissions.