How are we suppose to test the app with beta users if we have to go through review in order to install the app? Shopify, this new change makes zero sense.
I am facing same issue. did you find a solution?
I just went through this nightmare and wanted to share my experience in case it helps. As multiple threads have mentioned, the custom merchant install link simply does not work. Additionally, if you build an unlisted / unapproved public app, it will install fine on your own test / development stores, but surprise, when you try to let an actual merchant install it, you will get the error others have screenshot.
What HAS worked (after much sweating leading up to a meeting with a client) is creating a custom app, GENERATING THE BROKEN CUSTOM MERCHANT INSTALL LINK and specifying that specific shop, and THEN sending them to an actual constructed OAuth2 permission URL you create yourself:
If you try to send this OAuth link prior to generating a custom merchant install link and specifying which merchant your custom app is for, you'll get the non-descriptive error that they can't install this app using this link, please reach out to the developer for more information (of which I had very little).
Crazy that this is so broken
But then even after I do this run-around to get the custom app installed all the environment variables on my server (SHOPIFY_API_KEY and SHOPIFY_API_SECRET_KEY) are set to the public (unreviewed app) so the whole app doesn't even work.
Am I missing something? How am I supposed to support dozens of custom apps for beta users when each one needs it's own API key/secret on my server.
So after another week and having more experience with the app approval review process, I need to walk back what I said previously - the custom merchant install link and "install on your development store" links DO actually work - but for whatever reason, Shopify just doesn't put it in plain English on how to achieve this. I can't speak to why the node.js example app doesn't work, but in general when someone arrives at your app, Shopify will automatically append hmac, shop and timestamp parameters (this is the part they don't make clear in the documentation, especially in the 'getting and storing shop origin' link). So it's up to your app to dynamically determine if a merchant doesn't have a valid access token and charge_id, then at that point you generate and route them to the permissionUrl for OAuth.
@Ben36 you're now facing the issue many complained about in the comments here: https://www.shopify.com/partners/blog/shopify-public-apps. I think the short answer here is you need to submit your app so it's approved by Shopify, even if unlisted. In my case, I submitted my app last week and am now waiting, but I'm also onboarding beta testers for my app so I faced the same dilemma as you. What I've done on the server side is I just create a conditional based on shopOrigin to assign the correct CLIENT_ID and CLIENT_SECRET for them. And on the client side, I do the same thing for CLIENT_ID. It's clumsy and manual, but as a temporary measure until my app is approved, it seems to be working.
EDIT: I see you're using environment variables so the above may not apply to you. You may just have to hard-code them in like I did for now.
I'm really not happy about the change Shopify made to block production stores from installing unpublished apps.
You can test your new apps as much as you like but there are certain tests such as load testing that are difficult if not impossible to test on a development store.
In the past we have had partnerships or good relationships with some stores that have allowed us to beta test new apps in their stores before submitting them for App Store approval. This had helped us identify small issues before they went live to everyone else.
As an example, last month we launched Cartly. The app blocks traffic from crawlers and bots but we didn't have a complete list of agents. After going live, we identified lots of new bots and spiders that were coming through in traffic and then had to add them to the rejection list and remove the records of these sessions from the database on a daily basis.
There should be a way to install unpublished apps for beta testing on a limited number of production stores. Sort it out Shopify.