Recommended API security control for Shopify app express backend to access an external db api

Shopify Partner
22 2 3

Hi, I have a Shopify app backend written using express. This backend needs to access an external database API to retrieve our app's business logic. 


When the backend receives requests from the embedded frontend, it receives a session token jwt whose signature can be validated using the Shopify app client secret. 


My question is, can I use this jwt token to authenticate the caller of my external database API? Let's say the Shopify backend pass this token in the request to the external database API. I can store the client secret in my external database and use it to validate the token and decide what the caller can access.


Even if the Shopify app is meant to be a public app where any stores can install this Shopify app, the client secret is still the same so my external database app can use the same client secret to validate the session jwt token.


Is my logic correct? Or am I missing something? Will this have any negative security consequences?



Replies 0 (0)