Session Tokens not for making API calls?

6 1 0

I want to clarify if Session Tokens are not to be used for making calls to Shopify API?

From the tutorial at this page:

This description leads me to believe that I can use it to make calls to Shopify:

2. Start fetching protected data with session tokens
With the App Bridge instance created, you can now start getting session tokens and passing them in requests to fetch protected merchant data. For each request to fetch protected resources from the app backend, the session token needs to be passed in as an Authorization header in the following format:

But I did not find any APIs which accept the "session token" in place of the "access token". After going around in circles I can only conclude that the session token is for sending to your own backend only. And that your backend only uses it to determine the target shop.

However, isn't the same information also exposed in the HMAC (which is also signed with the secret)? Couldn't the frontend forward the HMAC to the backend as authentication instead?

Reply 1 (1)
Shopify Partner
4 0 3

the access_token you get via the oauth process proves that you have access to the merchant/store's data. it lasts a long time, so you store it and use it whenever you need to get merchant/store data.


the session_token that the javascript on your app webpage (embedded in shopify admin) passes to your backend is used by your backend server to verify that the request is indeed a valid request from your app within the shopify admin panel. it only lasts around a minute. 


so the session_token proves to your backend that the request is valid, then your backend uses the oauth access_token to get the merchant/shop data to send to the app webpage showing in the shopify admin panel.