Your app must immediately authenticate using OAuth before any other steps occur

luketan1998 · ‎06-13-2024

This requirement states that the user must be able to instantly authenticate using the Shopify OAuth. However, my app does not just cater to shopify, and rather I am building a shopify integration that lets users enhance their experience by integrating with their shopify store information. This means that the flow should be a user logs in to their app account first (on my app), and THEN goes through the shopify oauth process, so that the store credentials can be bound to the users account on my end, so that the credentials can be used to fetch information in the future.

Am I missing something, or is this simply not allowed by Shopify apps??

ahurlburt · ‎07-27-2024

I think to be compliant you need to handle oauth first (so non-authenticated to your service), storing the received token temporarily then after oauth you can redirect to login of your service and then associate the token to the appropriate account in your service.

Adam Hurlburt | Cofounder & CTO of Sellify: a CRM & B2B Solution For Shopify Stores

If you found this suggestion helpful, please let me know by giving it a like or marking it as a solution.

PriceZag · ‎12-16-2024

We have the exact same situation and the same problem of app "requirements not met". Unfortunately nobody at Shopify seems to explain what must be done.

We had customers using Shopify for years successfully (and they still do), but all our NEW customers now need all that complicated stuff, with zero help from Shopify.

I went in our logs to grep "shopify" and found this request just before receiving the email of refusal:

/?hmac=xxxxxxxxxxxxxxxxxxxxxxx&host=xxxxxxxxxxxxxxxxxxxxxxxxxx&shop=xxxxxxx-vj.myshopify.com&timestamp=1734357564

(referer https://apps.shopify.com/)

I don't even understand why they would make a request at the home page / rather than some Shopify end-point we provided.

Can someone please clarify what we need to do? The email received was:

Fix core review requirement issues
Your submission isnt meeting some core requirements. Follow the next steps in this email to address whats needed. Your review is paused until you submit these fixes.
Please note: Youll be able to start a conversation with an App Review Specialist only after weve verified these core review requirements are met.

App name PriceZag Competitor Monitoring
Status Paused
Visibility setting Limited visibility
Reference number 81228

Next steps
Fix the issue(s) listed below
Make sure youre meeting all other review requirements
Submit the fixes on the Partner Dashboard
Core requirement issues to fix
Your app must immediately authenticate using OAuth before any other steps occur. Merchants should not be able to interact with the user interface (UI) before OAuth. See this screenshot for details.

Development Team at PriceZag competitor monitoring

ahurlburt · ‎12-16-2024

If you select the "install" link from Shopify it will call the app url as defined in your app config. They will append additional parameters (like shop/hmac/etc). That initiates the oauth process. You need to handle OAuth before showing any other UI.

Re-read the Shopify OAuth documentation.

If you have a situation where your app has it's own login and you need a way to tie the oauth token back to an authenticated user within your app then the process becomes a bit more complicated as you still have to handle Oauth first (as per shopify's reqs) and store the token temporarily somehow (ie a db) and link it (ie with a unique token you generate and pass back to the oauth callback), Once user logs in then you can associate the oauth token to their user. This is only necessary if you separate auth outside of Shopify. If you're a Shopify only app likely not applicable.

Adam Hurlburt | Cofounder & CTO of Sellify: a CRM & B2B Solution For Shopify Stores

If you found this suggestion helpful, please let me know by giving it a like or marking it as a solution.

PriceZag · ‎12-16-2024

Thanks a lot for the reply.

It looks like we cannot even edit the URLs (and all other details) after it has been submitted once? (meaning even if I cancel the submission, I can no longer see any form to edit everything like URLs for hooks, etc).

Obviously we' rather not use the home page for some internal Shopify requests...

Development Team at PriceZag competitor monitoring

krs8785 · ‎03-07-2025

How did you fix this issue?

andrewrobbins · ‎03-07-2025

Hey there—did you ever manage to find a solution to this? Running into the same issue.

Creator of ShopWP https://wpshop.io

ahurlburt · ‎03-07-2025

Check my posts it explains what you need to do. Oauth has to happen immediately on install. If you need to login to your own app afterwards or allow for account creation you need to store the token while you handle your own auth.

Adam Hurlburt | Cofounder & CTO of Sellify: a CRM & B2B Solution For Shopify Stores

If you found this suggestion helpful, please let me know by giving it a like or marking it as a solution.

andrewrobbins · ‎03-08-2025

The part I'm confused about is "selecting the "install" link from Shopify". My app is unlisted, so I'm not sure where to find this. Can you provide an example?

Additionally, my app is meant to be installed on many different stores. My process before was to ask the user to enter their .myshopify.com domain on my external site, at which point I would then start the OAuth process using the manual grant documentation. However Shopify is now telling me that I can no longer ask for users to enter their .myshopify.com domain.

Creator of ShopWP https://wpshop.io

rayan-allali · ‎03-19-2025

hello did you find a solution ?

andrewrobbins · ‎03-24-2025

Yes—you can find your app's dedicated install page from within the partner dashboard under Distribution. From there click Manage listing and the link will be at the bottom under Listing URL.

Even if it's unlisted, the page will still be visible to those who have the URL.

Creator of ShopWP https://wpshop.io

umairj · ‎03-26-2025

Well.. I am having exactly the same issue but I cannot find the dedicated install page in the partner dashboard. Under Distribution, I can see only Manage Submission. Without input the shop's domain name, how can we start the oauth process? I am using Shopify admin library and shopify.auth.begin requires shop domain name. Appreciate any help.

Your app must immediately authenticate using OAuth before any other steps occur

Your app must immediately authenticate using OAuth before any other steps occur

Community Blog Articles