App reviews, troubleshooting, and recommendations
Hi, I have a Shopify app backend written using express. This backend needs to access an external database API to retrieve our app's business logic.
When the backend receives requests from the embedded frontend, it receives a session token jwt whose signature can be validated using the Shopify app client secret.
My question is, can I use this jwt token to authenticate the caller of my external database API? Let's say the Shopify backend pass this token in the request to the external database API. I can store the client secret in my external database and use it to validate the token and decide what the caller can access.
Even if the Shopify app is meant to be a public app where any stores can install this Shopify app, the client secret is still the same so my external database app can use the same client secret to validate the session jwt token.
Is my logic correct? Or am I missing something? Will this have any negative security consequences?
Thanks!
Starting a B2B store is a big undertaking that requires careful planning and execution. W...
By JasonH Sep 23, 2024By investing 30 minutes of your time, you can unlock the potential for increased sales,...
By Jacqui Sep 11, 2024We appreciate the diverse ways you participate in and engage with the Shopify Communi...
By JasonH Sep 9, 2024