FROM CACHE - en_header

Shopify Custom App Oauth - Missing code

New Member
1 0 0

I really don't want to use Shopify's KOA middleware for a custom Shopify app that I'm building, and it's super puzzling that its the suggested way to integrate with shopify as using ExpressJS and NextJS together makes little sense at this point (NextJS is highly optimized to be serverless now).


I had implemented Oauth correctly for a public app with a test store. However, I only want my app to be available to one store before I have it reviewed by Shopify while we test out the kinks.


Oauth for custom apps is for some reason authenticated differently, and I must use first get 'https://<store_name>/admin/oauth/install_custom_app' rather than '.../install'.


This route isn't sending an authorization code to my redirect like the '.../install' route is.


There really isn't any documentation explaining why this is the case and what to do about that. My redirect is only recieving the hmac, timestamp, and shop, so then my POST to get an access token has no code to send.

Replies 3 (3)
Shopify Partner
8 0 5



I have some experience building Custom Apps so maybe I could help here. This is a rather new Shopify feature, so the documentation is somewhat lacking. I can only speak from my past experience for how it's worked for me and my clients. Since it’s rather complicated I’ll walk you (and anyone else who stumbles upon this) through the steps of how both Custom and Public Apps will Install moving forward. Please, feel free to leave questions or corrections as a reply.


The '/admin/oauth/install_custom_app' link that you're talking about is just so that Shopify can limit installs to a single store. Once it checks that you have permissions at the store it redirects the client to the App Url supplied in the App Setup in your partner dashboard.


This is where you are getting your HMAC, store, and timestamp.


Once there you need to figure out if the request coming in is for a new install or for a current user. I do this by creating a Store document in MongoDB and checking the incoming store against that. 


Assuming it is a new install you need to redirect to this url:



The state is a nonce usually generated using an NPM package called Nonce.


Once the user authorizes the install, Shopify will redirect to your redirect uri.


 At this point, take your app's api key, secret and this nonce code that shopify has echoed back to you, and POST those fields to “/admin/oauth/access_token” in exchange for your permanent access token. 


Take that and update the store in your DB to include the token so you can make requests later on.


Here is a shopify tutorial about this that might help: 

4 0 1

hey, i have recently started shopify app development, I followed the tutorial for public app development for building a custom app

i have a similar problem


can u tell me where can i find the nonce, and scopes?

Shopify Partner
31 0 1

The problem is that after the installation the state, code, timestamp and hmac are missing, the only returning attribute is the shop!