I am trying to integrate Shopify to a website for a client. No login. No cart. Just a button that leads to the checkout page. I know this can actually be done easily with Buy Buttons, but I want to take this chance to learn more about storefront api.
Anyway, the website works well. The workflow is using the handle of a product to get the variant id, then creating a checkout with the variant id and getting its webUrl, then redirecting when a button is clicked.
I was wondering if this sounds secure cause all the data used in the flow (access token of private app, online store url, handles) are public. I used Stripe before and it requires a private key for a similar process. Now I just want to make sure that I didn't upload anything that shouldn't be public on github.
Thanks in advance,
Solved! Go to the solution
This is an accepted solution.
Yes, the Storefront API (and the 'storefront access token') is intended for client-side code so you're safe doing what you're doing.
However you never want the Admin API and corresponding access token to be exposed to the client, that API should only ever be used in server-side code.