Solved

Using private and public app together -where to store the private app password?

gdavisdesign
Tourist
5 0 0

To allow storefront access to my app (via app proxy), I had to create a public app – but the app is using my private app credentials to make the api calls on the server. None of the POST requests on the front-end show these credentials, but will hard-coding the credentials into my app (on the server) be a security risk? Since the app will be hosted on heroku or some other server, it seems like it should be fine, since the website client is POSTing into the server. The server runs the query to process the POST request and sends a response back to the client.

 

Is this is the proper way to run API requests in a private app and use the app proxy?

Accepted Solution (1)

Busfox
Shopify Staff (Retired)
628 49 110

This is an accepted solution.

Hi @gdavisdesign,

 

I don't see an issue with your approach. Just make sure, as you said, you're not exposing any of your credentials on the client. If your app is going to be hosted on Heroku, you can use their config vars (environment variables) to securely store and access your credentials for us in your production server.

 

Cheers,

To learn more visit the Shopify Help Center or the Community Blog.

View solution in original post

Replies 2 (2)

Busfox
Shopify Staff (Retired)
628 49 110

This is an accepted solution.

Hi @gdavisdesign,

 

I don't see an issue with your approach. Just make sure, as you said, you're not exposing any of your credentials on the client. If your app is going to be hosted on Heroku, you can use their config vars (environment variables) to securely store and access your credentials for us in your production server.

 

Cheers,

To learn more visit the Shopify Help Center or the Community Blog.

gdavisdesign
Tourist
5 0 0

Hello @Busfox ,

Thank you for the advice – I'll use the config vars.

 

Thanks!