OAuth Authentication Issue: App Rejected for Not Following Immediate OAuth Requirement

Shopify Partner
4 0 1

I'm developing a public app that integrates with Shopify to provide various functionalities. My app recently got rejected during the review process for not adhering to the immediate OAuth authentication requirement.

Current Flow:

  1. User logs in to my software dashboard.
  2. User creates a new Shopify integration, filling in their Shopify shop name and selecting the related my software's store.
  3. User clicks the "Authorize" button, which redirects them to the Shopify OAuth page.
  4. After authorizing the app on Shopify, the user is redirected back to my software.

I spoke to Shopify support, and they couldn't provide code development assistance but suggested I post here.

  1. Questions:

    1. Does my current flow violate Shopify's immediate OAuth requirement?
    2. How can I modify my flow to meet Shopify's guidelines, considering that the OAuth URL requires the {shop} parameter, which is the merchant's Shopify store name?

    Additional Information:

    • Language/Framework: .NET C#, not using any Shopify libraries

    I appreciate any guidance or suggestions you can provide. Thank you for your time!


Reply 1 (1)
Shopify Staff
Shopify Staff
1882 202 577

Hi FrenzyRider,


From your description, your current flow appears to be in line with Shopify's OAuth requirements.

Here's how the OAuth flow should look like for a typical Shopify app:

  1. The merchant installs your app.
  2. Your app redirects the merchant to Shopify's OAuth authorization page.
  3. The merchant decides whether to grant the requested access to your app.
  4. Shopify redirects the merchant to your app along with an authorization code.
  5. Your app makes a request to Shopify to exchange the authorization code for an access token.

If your flow is different from the one described above, then you might be breaking the immediate OAuth requirement.


About your second question, the {shop} parameter in the OAuth URL is indeed the merchant's Shopify store name and it must be provided. If the merchant is setting up the integration from within your app, you should already know their Shopify store name. You can include this in the OAuth URL.

If you don't have the Shopify store name at the time of integration setup, you might need to adjust your flow. You could ask for the Shopify store name as part of your integration setup process.


In terms of .NET C# libraries, ShopifySharp is a popular choice for developing Shopify integrations. It takes care of much of the complexity of Shopify's API, including OAuth authentication. 


Hope this helps!

Liam | Developer Advocate @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog