Autenticate API call

Shopify Apps

Topic summary

A developer is seeking guidance on securely authenticating API calls from their Shopify theme app extension (frontend) to a Remix backend. The primary concern is preventing unauthorized replication of these API calls via tools like Postman.

Current Implementation:

  • Shopify app proxy is already configured
  • JWT (JSON Web Token) authentication is in place

Security Challenge:
The developer has identified a vulnerability: anyone inspecting the page source can discover the API endpoint (e.g., GET "/apps/PROXY_URL/api/get-token"), replicate the request with proper headers in Postman, and obtain a valid JWT token.

Status:
The question remains unanswered, with no solutions or alternative authentication strategies proposed yet. The developer is looking for methods to prevent API endpoint exposure and unauthorized access beyond their current JWT implementation.

Summarized with AI on October 29. AI used: claude-sonnet-4-5-20250929.
1

Hi, if I make an API call from the frontend of my site (e.g., from a theme app extension) to my Remix backend, how can I securely authenticate the API call?
The goal is to prevent this API from being replicated, for example using Postman, so that no one else can access the results.

I have already implemented the Shopify proxy and JWT.
However, if someone inspects the page source and finds the script that makes the API call to obtain the JWT — for example: GET “/apps/PROXY_URL/api/get-token” — they can easily replicate it in Postman with the correct headers and obtain the JWT.