FROM CACHE - en_header
Promotion image

Storefront AccessToken accessing in theme app extension

Storefront AccessToken accessing in theme app extension

Tess
Shopify Partner
5 0 1
‎04-16-2025 07:29 AM

Hi all,

I'm working on a Theme App Extension, and I need to use the Storefront Access Token to make Storefront API calls from the storefront.

What are the different ways to expose or access the token securely within the theme extension context?

Also, is it possible to achieve this without using a Shopify proxy setup, or is a proxy the only secure option?

Any guidance or best practices would be greatly appreciated!

Thanks,
Tess

Labels:
140 Views
1 Like
Report
Reply 1 (1)

Dotsquares
Shopify Partner
370 22 51
16 hours ago

Hi @Tess ,

 

Great question! When working with a Theme App Extension and needing to use the Storefront Access Token (SFAT) for Storefront API calls directly from the storefront, there are a few important considerations around security and architecture.

 

Securely Accessing the Storefront Access Token

The Storefront Access Token is meant to be used in a public context, so it's technically okay to expose it client-side. However, you should:

  • Limit the token's permissions strictly to what you need (e.g., read-only access to products, collections, etc.).

  • Avoid embedding it directly in theme files if possible, especially if you have multiple environments (dev/stage/prod).

 

Options for Providing the Token in a Theme App Extension

 

Here are a few approaches:

 

1. Exposing via theme.app.blocks with dynamic settings

You can pass the token to your extension via the app block settings or dynamic sections. Just be cautious:

 

json
{
"name": "Storefront API Token",
"settings": [
{
"type": "text",
"id": "sf_access_token",
"label": "Storefront API Token"
}
]
}
 

Use this only for tokens with limited permissions and no sensitive scopes.

 

2. Injecting via Liquid variables

You can inject the token using Liquid in your extension's .liquid files:

 

liquid

<script>
window.storefrontApiToken = "{{ settings.sf_access_token }}";
</script>

 

This makes it accessible to your JS, but again, be mindful of what the token can do.

 

Is a Shopify Proxy Required?

While Shopify App Proxy is not required, it is the recommended secure pattern when:

  • You need to call authenticated APIs server-side.

  • You want to keep credentials or business logic private.

  • You need to validate/verify requests before hitting Shopify APIs.

 

If your use case requires enhanced security (e.g., user-specific data), using a proxy endpoint through your app server is the way to go.

 

Best Practices

  • Restrict the SFAT to read-only scopes.

  • Avoid using the token for customer-specific or sensitive data operations.

  • Use Shopify App Proxy for scenarios that require private validation or authentication logic.

 

Let me know if you’d like code snippets or a more tailored example — happy to help!

 

Best,

Dotsquares Ltd


Problem Solved? ✔ Accept and Like solution to help future merchants.


Shopify Partner Directory | Trustpilot | Portfolio
27 Views
0 Likes
Report

Community Blog Articles

JasonH_0-1743081651612.jpeg
Members of March '25

Hey Community 👋 Did you know that March 15th is National Everything You Think Is W...

By JasonH Apr 1, 2025
427225466-7b141305-de27-48eb-8d38-643ba2ed8c3f.jpg
The power of automation: New Shopify Flow fundamentals learning path

Discover how to increase the efficiency of commerce operations with Shopify Academy's l...

By Jacqui Mar 26, 2025
shopp-e-1741972742895593780274096851.png
Canadian merchants: Update account details by March 24, 2025 to continue us...

Shopify and our financial partners regularly review and update verification requiremen...

By Jacqui Mar 14, 2025
Terms of Service Privacy Policy