App Rejected For Not Following Immediate OAuth Requirement.. but we are?

Shopify Apps

Topic summary

App submission was rejected for allegedly not initiating OAuth immediately (no UI interaction allowed pre-auth). The developer asserts full compliance and cannot reproduce any issue across browsers or users.

Key details:

  • Stated OAuth flow: install → redirect to Shopify’s OAuth page → merchant grants access → Shopify redirects back with code → app exchanges code for token.
  • Reviewer’s evidence is a screenshot showing a DNS_PROBE_FINISHED_NXDOMAIN error for a URL that includes an HMAC parameter. The developer purged Cloudflare cache and still cannot reproduce the DNS failure.

Clarifications requested and provided:

  • A participant asked whether the OAuth redirect occurs server-side or via front-end UI after clicking “Install.”
  • The developer says the OAuth flow is triggered server-side and they use Shopify Managed installation, which avoids redirecting to an external OAuth page during install.

Notes:

  • The screenshot (image) indicating a DNS error is central to understanding the rejection.
  • No resolution yet; the cause of the DNS failure and its relation to the “immediate OAuth” requirement remain unclear. The developer seeks guidance and cannot reply to automated rejection emails.
Summarized with AI on January 6. AI used: gpt-5.
1

Hello everyone!

We tried submitting our app to the Shopify App Store. But got rejected with this error “Your app must immediately authenticate using OAuth before any other steps occur. Merchants should not be able to interact with the user interface (UI) before OAuth.”

However, on our end we’ve ran some tests and everything is following the flow according to their requirements. We are unable to replicate the error on our end, after testing on multiple browsers with multiple users, even on incognito.

Our app flow is as follows (exactly as how Shopify asks for it):

  1. The merchant installs your app.
  2. Our app redirects the merchant to Shopify’s OAuth authorization page.
  3. The merchant decides whether to grant the requested access to our app.
  4. Shopify redirects the merchant to our app along with an authorization code.
  5. Our app makes a request to Shopify to exchange the authorization code for an access token.

The reply we got from the store team shows us a screenshot with a DNS issue which is a “DNS_PROBE_FINISHED_NXDOMAIN” error. We even flushed our cache on Cloudflare, tested another few times and we can’t replicate the error still. (URL in the screenshot also contains an HMAC in the slug, which is also working fine on our end.)

Any help would be greatly appreciated as the rejection emails from the Shopify store are all automated and don’t accept responses.

Thanks in advance everyone!

2

Just curious, what happens in step 1 “The merchant installs the app” - when the customer clicks the install button? Does your app redirect them to the Shopify’s OAuth authorization page on server side or does the redirect happens on a front-end (UI)?

1 Like
3

Thanks for getting back! Appreciate.

Our OAuth flow is triggered in server-side but we’re using “Shopify Managed installation” that does not need to redirect during installation to an external oAuth page.