Embedded app Auth0 flow

Embedded app Auth0 flow

2 0 0



I already have a working public app which performs the initial Auth0 installation flow, and the shops offline access token is stored in my database. I also have a working proxy which sends calls from storefront to my server, and I can successfully verify the Shopify generated signature coming from the proxy, and retrieve the corresponding shops access token to make requests to the Admin API.


Now I want to make calls from my embedded app to my server and then to the Shopify Admin API. The only difference between this process and the process from a storefront is that on the storefront I have to use a proxy, which adds a signature onto my request so that I can perform HMAC verification. 


Should I do a similar process when making calls from my embedded application, and if so how?


I followed a Node.js and React tutorial in part to get to where I am, and as I have it working, my embedded app already has access my apps' API_KEY and SHOP_ORIGIN. So I technically could simply send a POST request to my server from the embedded app, sending the SHOP_ORIGIN, then in my server query my database for the corresponding shops offline_token, and with that make a call to the Admin API. However it feels like I'm skipping some sort of a verification step (like the signature for app proxies). In order for this to work I need an endpoint on my server which just takes a SHOP_ORIGIN and can make any Admin API request with only that, in which case why do I even need to verify signatures for an app proxy? 


Should I?

- Generate an online access token everytime an embedded app is created and use that instead of the offline access token (since I have access to my apps' API_KEY in my embedded app)?


If so, what is the redirect_uri in this context?

Reply 1 (1)

Shopify Staff
1829 271 414

Given the embedded app is loading an app from your server, you could create a session on the initial load (once you validate the request), and then check the session on API requests, something like:


// On app load, validate the request and then:
session['shop'] = 'some-shop.myshopify.com'

// On API request
if (session['shop']) { ...

Scott | Developer Advocate @ Shopify