Sesssion token vs OAuth

New Member
1 0 0


I'm building a Shopify App using NextJS and NodeJS. I've been following the Shopify Guide(, which is pretty useful even though it's pretty old.

I'm using the getSessionToken function from '@shopify/app-bridge-utils' to gain a JWT which the frontend application sends along as a header to the Node-server on all routes. 
On the server I use the jsonwebtoken package to verify the JWT along with the SHOPIFY_API_SECRET stored in my .env-file. 

At the moment I have two front end components(CustomerSettings and ArticleSettings), which both uses a helper function that I've set up to get the session token, like this:



import { Context } from '@shopify/app-bridge-react';
import { getSessionToken } from '@shopify/app-bridge-utils';
import { useContext } from 'react';

export default async function GetSessionToken() {
  const app = useContext(Context);
  const secret = await getSessionToken(app);

  if (secret) return secret;



  and in the component it looks like this:



const CustomerSettings = (props) => {
  const sessionToken = GetSessionToken();
  const [customers, setCustomers] = useState([]);
  const getCustomers = async () => {
    const token = await sessionToken;

    const data = await fetch(`/customers`, {
      method: 'GET',
      headers: {
        'Content-Type': 'application/json',
        Authorization: `${token}`,




The problem I'm facing right now is that CustomerSettings and ArticleSettings gets different JWT's, which will make the server verify-function fail (sometimes, not always), with "jwt expired" message:



const dotenv = require('dotenv');
const jwt = require('jsonwebtoken');

const { SHOPIFY_API_SECRET_KEY } = process.env;

async function verifyReq(token) {
  try {
    return await jwt.verify(token, SHOPIFY_API_SECRET_KEY);
  } catch (error) {
    console.log('Error validating token', error);
    return null;



I'm guessing I want the JWT to be the same regardless of which front end component that requests it. How would I solve this? 


Another question:
I'm using the shopifyAuth and verifyRequest helper functions from '@shopify/koa-shopify-auth' package on my server, and specifying accessMode to offline. I'll get the shopName and accessToken and save those values to a database. Every route on my server is going through verifyRequest to ensure that anyone who's trying to reach my server needs to be logged in using Shopify OAuth.

With that in mind, is it overkill to also have the JWT check that I talked about earlier in this post? Or is that still relevant regarding security?