Embedded App JWT Session Token on 2 backend Logic

tanseer_poptin
New Member
2 0 0

Hi,

We are creating a Shopify Embedded app using PHP/Laravel. We have 2 backend apps: 

  1. Our Shopify app (written in PHP) interact with Shopify for auth/installation
  2. Our main app (written in Laravel) is shown to the user after auth/installation is completed by our 1st app using the redirect method.

So We need to handle Shopify JWT Session on both backend apps or it is only required on our 1st backend app which is responsible for auth/installation?

Replies 3 (3)
JoeyF
Shopify Staff
Shopify Staff
19 4 5

Will the main app (i.e. the second backend) handle requests from the frontend?

If so, then it will need to handle session tokens as well.

 

This section of the docs aims to clarify the difference between session tokens (allow your backend to verify requests from your frontend) and access tokens (allow your backend to make requests to Shopify's backend). Does it make things clearer?

tanseer_poptin
New Member
2 0 0

We have two backend app. One is to connect with Shopify for installation & auth and we check for store/user in this app if exists then pass that data to another backend app which shows main ui. So in this case we need a session jwt token for 2nd app? 2nd App auth is currently using Laravel default session so that will works? or we need to change that to jwt session ?

JoeyF
Shopify Staff
Shopify Staff
19 4 5

I don't know Laravel well enough, and I'm not sure exactly what data is passed from your 1st app to your 2nd app. Regardless ...

 


need to change that to jwt session ?


In my opinion, yes.

This would ensure that incoming requests to your 2nd app are coming from Shopify (and not from a malicious attacker).