Best approach to authorizing access to a third-party shopify site from our website

phelgren · ‎01-23-2025

We currently have a third-party that has developed and manages our "store". Currently, we have been relying on "security by obscurity" providing a link to the store site from our website. It didn't take long for folks to discover that they didn't have to first log into our site in order to access the store.

The goal here is to limit access to the third-party store to only properly authenticated users from our website. We could generate a token for the user and pass it in the header as they click on the link to access the store, but I am not sure what the mechanism would be at the Shopify end of things to validate the token. Is there a callback mechanism from the third-party Shopify store that could call an API at our end to validate the token? Or, is there a better way to handle this? We don't need to uniquely ID users, just verify that they are properly authenticated on our system before accessing the store....we have roughly 100,000 users that may access the store so we want to keep it lightweight and simple as possible.

Thanks!
Pete

PaulNewton · ‎01-23-2025

For trying to auth from external origins thoroughly read through the resources below to clarify the problem to your specific context and shopify's limitations then use the dev forums: https://community.shopify.dev

Note there's two customer systems: legacy customer accounts and customer accounts, the Storefront API(customer features) and Customer account api do not overlap keep that in mind in research.

Hi @phelgren shopify Plus enterprise plans only: for third party auth there is multipass.

For everyone else, some options:

make the store require custom accounts and automate account invites.
if this is for the online-sales channel just use the locksmith app or other similar content gating app.
💣 themes/liquid do not give access to server headers; nor does it expose the querystring( url parameters) without hacks.
look at headless auth but assume ongoing development to make it maintain it

Roughly without an app in the mix shopify has no global auth/callback system; it is not an identity provider?.

Archived resources

Beyond that without more research/testing on your part your missing a ton of critical detail when this many moving parts start coming together that takes effort beyond the courtesy of a forum post to clarify everything to a straightforward question in order to have concise solution.

Good Hunting.

Contact paull.newton+shopifyforum@gmail.com for the solutions you need

Save time & money ,Ask Questions The Smart Way

Problem Solved? ✔Accept and Like solutions to help future merchants

Answers powered by coffee Thank Paul with a ☕ Coffee for more answers or donate to eff.org

phelgren · ‎01-23-2025

Thanks Paul. I guess I have more reading ahead.

How will this third-party that maintains the Shopify store know whether they are "legacy" or not and "Plus" or not? Or will it be obvious to them? They stood up the store about 4 years ago and are serving 100k users if that helps....

Pete

PaulNewton · ‎01-23-2025

Plus is a pricing plan, it's ~$24k/year they will know.

Legacy customer accounts or new accounts are a setting.

https://help.shopify.com/en/manual/customers/customer-accounts

And also checkable through the api https://shopify.dev/docs/api/admin-graphql/2025-01/objects/CustomerAccountsV2#field-customeraccounts... , https://shopify.dev/docs/apps/build/customer-accounts

Contact paull.newton+shopifyforum@gmail.com for the solutions you need

Save time & money ,Ask Questions The Smart Way

Problem Solved? ✔Accept and Like solutions to help future merchants

Answers powered by coffee Thank Paul with a ☕ Coffee for more answers or donate to eff.org

Best approach to authorizing access to a third-party shopify site from our website

Best approach to authorizing access to a third-party shopify site from our website

Community Blog Articles