Access token and app JWT token authentication?

I am working on Shopify app with NodeJs and React. After authentication with Shopify the I got access token and stored it in the database. I am confused with handling client-server authentication.

I used JWT token sign with user id as payload and send it to the client then the client sends that JWT token with every request and verifies that token in the server so in that case,

Another database call is required to get the access token (Shopify access token saved in the database) for further calls to get the shopify data. Is there any way to maintain Shopify accesstoken in the server? If I add Shopify accesstoken in the JWT payload that results in an increased JWT token length.

Or should I send shopify accesstoken from the client with every request to the server?

Please help with a better solution

Hi, @captainzero !

Use Shopify’s native solution, online sessions (online access mode), it’s a regular JWT authorization, it’s just tied to Shopify.

And also to send requests from the client side, use ‘authenticatedFetch’ from app-bridge-utils.

“Is there any way to maintain Shopify accesstoken in the server?”: Yes, you can use loadCurrentSession or in any case, your sessions are stored inside Shopify Context of your app, you can always view them.

Here are useful links to learn about it:

• https://shopify.dev/apps/auth/oauth/session-tokens/getting-started
• https://shopify.dev/apps/auth/oauth/access-modes
• https://github.com/Shopify/shopify-api-node/blob/main/docs/usage/oauth.md
• https://github.com/Shopify/shopify-app-template-node/blob/main/server/middleware/auth.js (example auth flow for node.js shopify app)
• https://github.com/Shopify/shopify-app-template-node/blob/main/src/App.jsx#L37-L71 (‘authenticatedFetch’ wrapper example)

Hope this helps, if not, please describe the problem in more detail with specific code examples.