Focuses on API authentication, access scopes, and permission management.
I currently have a custom sessionStorage handler which is storing sessions from a single app (node/express created from shopify cli) via database (Supabase, fwiw).
I want to be able to expand this database to handle session data from multiple apps, many of which might concurrently exist on the same domain. Ideally, I'd store the app id in the session itself, but the issue is I don't seem to be able to find a way to find that id (or some other permanent and distinct app identifier) until the session already exists and I can query it via the apps graphql query.
So my question is, is there a way to find a unique identifier for the currently running app, from its own environment, without external queries, or is there a way to ask this of the Shopify API without the session being active? Or even to have the CLI write this ID to env when it's creating the app?
Obviously I could manually hardcode this ID as soon as the CLI generates it, but I'm hoping for something more dynamic, so that I can more easily spin up test apps. I thought about pulling SHOPIFY_API_KEY from process.env and using this as a unique identifier, but it will break relations if/when I ever have to reset that key, so that's not ideal. Any other options or more obvious other ways I should approach this?
There's nothing from Shopify's end that's going to tell what app is currently running. I'd suggest using the client id (a stable, public identifier unique to each app) as the unique identifier for the running app. The key (or secret) should not be used for this because you may need to rotate it in the future if it got leaked. It's also not good security practice to be storing that key all over your database.
Thanks! Yes, using the client ID is absolutely my preferred option — I suppose my main question is that I can't see any clear programmatic way to obtain the client ID from shopify before the session is active, which makes it tricky to then use this database as the shared session handler for multiple apps. I can get it when i do have the session, via graphql, but not before. Am I missing an available method, either via the API or the CLI?