Secure OAuth to external service

Shopify Partner
1 0 0



i want to connect my Shopify app to an external service that uses OAuth. How can i securely store user and password inside my Shopify app in order to get the OAuth-Token from the service at any time?

Reply 1 (1)

Shopify Partner
15897 2378 3084

Hello @SPR_G2 ,
Storing user credentials (username and password) directly inside your Shopify app for OAuth with an external service is a security risk. Here's a secure approach to achieve OAuth with an external service:

1. Implement OAuth Client Credentials Flow:

This flow is recommended for server-to-server communication, which is ideal for Shopify apps. It avoids storing user credentials in your app. Here's how it works:

Register your app with the external service: Obtain client ID and client secret from the external service during registration.
Store client credentials securely: Store these credentials securely in your server-side environment (not within the Shopify app code). You might use environment variables or a secure configuration store.
Make requests to the external service: During the OAuth flow, your server-side code uses the client ID and client secret to obtain an access token from the external service. This token is used for authorized API calls.

2. User Consent with Redirect URI:

OAuth Authorization Code Flow (alternative): If the external service requires user consent, consider the OAuth Authorization Code Flow. In this case:
Redirect the user to the external service's authorization endpoint.
The user grants access, and the external service redirects back to your app with an authorization code.
Your server-side code then exchanges the authorization code for an access token using your client credentials.


Enhanced Security: Client credentials are stored securely, and user credentials never touch your Shopify app.
Scalability: This approach is suitable for server-to-server communication, making your app scalable.

Remember, never store user passwords or access tokens from the external service within your Shopify app code. Always use secure server-side storage and communication for these credentials.

Get pass your Store Core Web Vital Free Speed Optimization Audit, Chat on WhatsApp | Skype : oscprofessionals-87 | Email: | Hire us | Guaranteed Site Speed Optimization | Website Free Audit | Shopify Theme Customization | Build Shopify Private App | Shopify SEO | Digital Marketing | Oscp Upsell & Cross sell App : Free | Oscp Sales & Volume Discount App : Free | Custom Pricing Wholesale App : Free