Video tutorial on using JWT session tokens to authenticate your embedded app

Shopify Staff
31 0 15

As indicated via a notification on your partner dashboard, new embedded apps are now required to use session tokens instead of cookies for authorization.

This requirement will apply to all embedded apps by Jan 1 2022.

Below is a link to a video tutorial on implementing the JWT session token using app bridge and bootstrapping the Shopify CLI's example code.

0:00​ Intro
1:26​ What is a session token?
2:36​ What's wrong with using cookies these days?
5:01​ Session token vs access token
6:54​ Looking at the JWT token
16:22​ Session token life cycle
18:00​ Frontend implementation
28:16​ Backend implementation
40:29​ Using the uninstall webhook
44:52​ Questions

23:22 Why not just use the offline token?
44:52 Adding a script tag
46:37 Stuck in redirect loop

Documentation links
- Overview:
- Tutorial:
- Getting started with app bridge:


Slack Channel

Replies 11 (11)
Shopify Staff
31 0 15

Hi Pengyi,

Yes you should use session token with each request so you can identify user.

Shopify Staff
31 0 15

Hi Pengyi, can you check that app is being set.