Hence, Shopify throws a CORS error when detecting that you use a browser to send a request to a private API.
This is the answer to your question based on my comment. Storefront API is a public API and Admin API is a private one.
That's exactly why the difference between the APIs was pointed out.
Of course, you do not need a backend for Storefront API.
It takes very little time to verify that by sending a simple fetch request from Chrome dev tools console.
Aside from that, there is also a library (jsbuysdk) made by Shopify that utilizes Storefront API and is meant for the browser.
You can find more here: https://shopify.github.io/js-buy-sdk/
My questions are very related to the topic at hand and, although I'm pretty sure it's a few very tiny things that I'm missing, I too am struggling for answers.
My situation is simple: I have an Express server (Node) that can authenticate and call the Shopify admin API without problems when the process is initiated from a client app sitting on the same domain. When I initiate the oAuth flow from a client app sitting on a different domain (i.e. this client calls my secure server and this server attempts to establish contact with Shopify) then I end up with the CORS error described above.
I believe this is a reasonable (and possibly even popular) architecture and so it must be something simple I'm missing on my end.
Can you confirm if this is possible and - if so - if an example exists that I can study to see where I'm going wrong?
The actual answer is despite what the docs say, you have to use a middleman server to use Storefront API as well. You cannot just do it from the frontend like Stripe allows. So spin up a whole server that just passes messages, folks. Worry about it silently falling over at checkout, folks. That's the only way to use this "serverless solution" of a scam product.
Bottom line, after 2 integrations and endless trouble and even more monthly fees, I can attest, Shopify is a garbage fire built on a garbage framework, run by people who are just swimming in their money bin, don't care and don't answer questions on the forum. Good F'ing luck.
You're doing it wrong. If you use Storefront API as intended, there is no CORS issue.
Shopify is fundamentally built with the exact same HTTP protocols as all other Internet properties. Shopify is not pushing any unique technology, so comparing it to Stripe as if Stripe is somehow doing Internet computing different or more correct, is plain silly. Once you can do one pattern with one service, you can repeat with any other. oAuth is oAuth, for example.
It's ok to just say you don't understand, and ask for help. Mostly, you have to learn to help yourself. Like anything worth doing.
You sure you are not mixing up Storefront API with the GraphQL Admin API?
Storefront API even has a simple library - JS Buy SDK that can be used on any website to implement product catalog / cart functionality with your Shopify store.
You can see an example here: https://jamstack-ecommerce.nesters.me/
That's a static Nuxt.js storefront outside of Shopify that is utilizing Storefront API.
GraphQL Admin API rightfully will have CORS issues due to sensitive data that can be exposed if you leave your credentials available to everyone on the internet.
Puberty is hitting you hard! I get it though, I had kids, so your 'tude is like water off a ducks back. One day you'll be out of your mom's basement, and perhaps less bitter about things you should be enjoying more.