How do I authorize a user in non embedded app

Shopify Partner
19 0 8

Hey everyone!


I got a question in regards to the authorization of users. So I followed the OAuth flow until the point where I got the access token for the shop. So far, so good. But when a user is interacting with my non-embedded app now, how do I know the user is actually a user of that shop and not someone else?


When opening the app from Shopify admin, I get the parameters hmac, host, session, shop and timestamp. Is it enough to validate the request using hmac?


Thanks for any help!

Replies 4 (4)

Shopify Partner
588 48 77

Hello there! 


Authorizing a user in a non-embedded app on Shopify involves the following steps:


  1. Create a new app in the Shopify Partner Dashboard or use an existing app.
  2. Create a new App Bridge instance by passing the App Bridge API key and the Shop Origin to the App Bridge constructor.
  3. Use the Redirect.create method to redirect the user to the Shopify OAuth authorization page, passing the required scopes and redirect URL.
  4. Once the user grants permission, Shopify will redirect the user to the redirect URL with an authorization code.
  5. Use the authorization code to make a POST request to the Shopify OAuth Access Token URL, passing the code, client_id and client_secret.
  6. Shopify will return an access token that you can use to make API calls on the merchant's behalf.


It is important to note that the redirect URL you pass to the Redirect.create method must be whitelisted in the app settings in the Shopify Partner Dashboard. Additionally, the scopes you request must match the permissions you need for your app to function properly. It's also important to make sure that you are handling the access token securely and storing it properly.

Make sure to follow Shopify's guidelines and best practices when developing your app and handling user data. Keep in mind that security is important and the user's trust is valuable.




Shopify Partner
19 0 8

Hello @EcomGraduates 

Thank you for your reply. But as stated in my initial post, this is what I already have done. My question was, what is the best way to verify, that the user that will talk to my API after the code exchange, is actually part of that shop. The access code only authorizes the backend to talk to shopify, not the user. I was looking for a way to authorize the user to talk to the our backend.


But I assume, that our backend just needs to provide its own access token for the user. I just thought there is an easier solution for it using the data shopify provided.

Shopify Partner
2 0 0

Hello @ottero 

Have you found how to verify if a user is part of a shop?

Shopify Partner
19 0 8


When accessing the non-embedded app, the user will always go through the normal Shopify OAuth flow first. During that process, it is guaranteed that the user is part of the requesting shop and the request can be verified using the hmac. For further requests to my backend API, I return an access token created by my backend at the end of the OAuth flow. That token contains the shop and is signed using a backend secret (could be the app secret for example).


So basically, I use the OAuth flow to make sure the user belongs to the shop and then create my own access token for the user so they can access my app backend.


In addition, I also provide a refresh token, so the user can refresh its access token.