We are currently calling third party(our API to register that user in our system) API's using ajax in cart page for Join Loyalty feature.
But by exploring we found that ajax is not secure way to implemt API'S. To implement API'S securely we have to call API'S at server side.
So, anyone can tell us how to call Server Side API's.
Thanks in Advance
Ajax is perfectly fine for public APIs, but as you noted, POSTing user registrations via a client Ajax call is not and would be easilly exploited.
You could use webhook notifications, see Settings > Notification > Webhooks which is also explained here, in particular the customers/create event topic and send that notifcation to one of your API endpoints to handle it and proceed with creating the user in your system as well.
Above approach will not let you sync existing users from the store so when they would not be able to use your loyalty feature as their user account wouldn't exist in there - to overcome that and sync existing customer accounts with your loyalty user accounts, you would need to create a private app (if it is for your store only) or a public app (listed if intended to appear in app store, or unlisted) in order to be able to do this via Shopify Admin APIs.
Hope this helps!
Hi, Karl Offenberger
Thanks for reply. Looked into solution you suggested. But we need to create that webhook using API. Because we are creating shopify public App. And this is not good idea to tell Store Owners to manually create webhooks after App installation. So, tried to create webhook using API but problem is that how to get signed key which is available in shopify admin. This signed key is needed to call webhook API. And signed key generates after creation of first webhook.
Attaching image of shopify admin panel where you can see signed key.
Please tell the solution.
Thanks for reply. As you said created webhook already but my question is how to pass that signed key in webhook API.
The current working webhook from shopify admin uses signed key. Webhook is given below -
This webhook is working fine. But it's created in Shopify admin.
So, is there need to pass signed key when we are creating webhook using API?
If, yes then how?