Video tutorial on using JWT session tokens to authenticate your embedded app

Jason_Tigas
Shopify Staff
31 0 15

As indicated via a notification on your partner dashboard, new embedded apps are now required to use session tokens instead of cookies for authorization.

This requirement will apply to all embedded apps by Jan 1 2022.

Below is a link to a video tutorial on implementing the JWT session token using app bridge and bootstrapping the Shopify CLI's example code.

https://www.youtube.com/watch?v=Vq0aWTaJDAY

Contents:
0:00​ Intro
1:26​ What is a session token?
2:36​ What's wrong with using cookies these days?
5:01​ Session token vs access token
6:54​ Looking at the JWT token
16:22​ Session token life cycle
18:00​ Frontend implementation
28:16​ Backend implementation
40:29​ Using the uninstall webhook
44:52​ Questions

Questions
23:22 Why not just use the offline token?
44:52 Adding a script tag
46:37 Stuck in redirect loop

Documentation links
- Overview:
https://shopify.dev/concepts/apps/bui...
- Tutorial:
https://shopify.dev/tutorials/authent...
- Getting started with app bridge:
https://shopify.dev/tools/app-bridge/...

 

Slack Channel
#session-token-migration 

Replies 11 (11)
Jason_Tigas
Shopify Staff
31 0 15

Hi Pengyi,

Yes you should use session token with each request so you can identify user.

Jason_Tigas
Shopify Staff
31 0 15

Hi Pengyi, can you check that app is being set.