Does embed app must use session token?

Solved

Does embed app must use session token?

marv1nnnnn
Shopify Partner
1 0 0
Hi everyone, we are developing a new Shopify app and planning to submit it. We noticed that there is a restriction for the embedded app from the Requirements for apps in the Shopify App Store.
Embedded apps that don't use session tokens - Embedded apps submitting to the Shopify App Store must use session tokens to authenticate
Wanna make sure some details:
  1. If the app is embedded, is it 100% necessary to use the session token?
  2. If the backend does not call the Shopify API, is it still required to use the session token to authenticate?
  3. How to check if we meet the requirement or not? I saw some apps got rejected because The app shows an error when the 3rd party cookies are blocked. So if we block the 3rd party cookie locally and the app works well, can we assume it will meet the requirement?
Accepted Solution (1)

Henry_Tao
Shopify Staff
91 28 15

This is an accepted solution.

Hi @marv1nnnnn 

 

I think all of your points are correct. Embedded app is highly recommended to use session token if it needs authentication. 

Henry | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

View solution in original post

Replies 2 (2)

Henry_Tao
Shopify Staff
91 28 15

This is an accepted solution.

Hi @marv1nnnnn 

 

I think all of your points are correct. Embedded app is highly recommended to use session token if it needs authentication. 

Henry | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Henry_Tao
Shopify Staff
91 28 15

@marv1nnnnn 

 

Note that: although it's not required to use app-bridge for some apps but it's recommended to do so. There are a lot of opening questions if you don't: 

- How do you perform auth when your app is loaded inside Shopify (iframe)? 

- How do you make sure the request coming to your server is from Shopify? SessionToken is designed for this purpose. It's not for making a call to Shopify API.

- You also want to make sure your app works well on Shopify Mobile / Shopify POS. See https://shopify.dev/apps/tools/app-bridge/optimized-loading

Henry | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog