Questions and discussions about using the Shopify CLI and Shopify-built libraries.
I have an app which uses both online and offline tokens.
Offline tokens for all webhooks and getting information which is needed no matter what the user is (subscription info).
Online tokens are used when proxying GraphQl requests within my Embedded App. I'm even using the @Shopify/shopify-api library, which (by design) only allows online tokens when using the built-in GraphQL proxy method. https://github.com/Shopify/shopify-api-js/issues/140#issuecomment-801053492
However, I'm getting push-back from some of my clients/customers. It seems like they want to be able to just give their users access to my app, and my app only. Then when their users access my app, they expect it to have have full functionality.
Technically, this is doable because I could just use the offline token for everything and build my own graphql proxy. However this just feels... dirty.
It is against any rules to implement things this way? Should I just stick to my guns and tell them that they need to give their users the full permissions that my app needs? Obviously, I want to make things as easy as possible for my customers.
What do you guys think?