Main issue: How to access a shop’s handle/permanent_domain (e.g., foo.myshopify.com) from a Shopify Admin Block extension to include in backend requests, given no window access and useApi() didn’t reveal it.
Key guidance: Avoid passing the shop domain via URL params because it’s insecure. Instead, use session tokens (JWTs) that Admin extensions automatically include when making fetch requests to your app’s URL.
How it works:
Implications: This approach provides a secure, supported way to identify the shop without relying on useApi() or the window object, and replaces manually appending shop= to requests.
Status: Guidance provided with concrete steps and documentation links; no further disputes or unresolved questions noted.
For admin block extension
https://shopify.dev/docs/apps/build/admin/actions-blocks/build-admin-block?extension=react
Is there an easy way to access the shop handle or permanent_domain? Like foo.myshopify.com?
I need to make a request to my server that contains the normal shop= context that we get from embedded app requests.
I poked around with useApi() within BlockExtension.jsx but doesn’t seem to anywhere there. There does not seem to be access to window object either.
Hi - you don’t need need to include the shop domain to requests to the backend through url params like that as it’s not secure. The recommended approach is to use session tokens. Session tokens are automatically included when they make a fetch request to your app’s url. Specifically the shop domain is available as the dest property after decoding the session token (either using one of Shopify’s libraries or manually decoding with a JWT library).