Best approach to authorizing access to a third-party shopify site from our website

Technical Q&A

Topic summary

A website operator seeks to restrict access to their third-party Shopify store to authenticated users only, moving away from relying on obscurity. Currently, anyone can access the store directly without logging into the main website.

Proposed approach:

  • Generate tokens for authenticated users and pass them when accessing the store
  • Need validation mechanism on Shopify side

Key constraints:

  • ~100,000 potential users
  • No need for unique user identification, just authentication verification
  • Seeking lightweight, simple solution

Recommended solutions (in order of viability):

  1. Multipass - Third-party authentication option, but only available on Shopify Plus plans (~$24k/year)
  2. Automated account invites - Require custom Shopify accounts and automate invitation process
  3. Content gating apps - Use Locksmith or similar apps for the online sales channel
  4. Headless authentication - More complex, requires ongoing development and maintenance

Important limitations:

  • Shopify themes/Liquid cannot access server headers or URL parameters easily
  • Shopify lacks a global auth/callback system and is not an identity provider
  • Two separate customer account systems exist (legacy vs. new), with non-overlapping APIs

Status: Discussion remains open; original poster needs to determine their Shopify plan type and account system version before proceeding.

Summarized with AI on November 2. AI used: claude-sonnet-4-5-20250929.
1

We currently have a third-party that has developed and manages our “store”. Currently, we have been relying on “security by obscurity” providing a link to the store site from our website. It didn’t take long for folks to discover that they didn’t have to first log into our site in order to access the store.

The goal here is to limit access to the third-party store to only properly authenticated users from our website. We could generate a token for the user and pass it in the header as they click on the link to access the store, but I am not sure what the mechanism would be at the Shopify end of things to validate the token. Is there a callback mechanism from the third-party Shopify store that could call an API at our end to validate the token? Or, is there a better way to handle this? We don’t need to uniquely ID users, just verify that they are properly authenticated on our system before accessing the store…we have roughly 100,000 users that may access the store so we want to keep it lightweight and simple as possible.

Thanks!
Pete

2

For trying to auth from external origins thoroughly read through the resources below to clarify the problem to your specific context and shopify’s limitations then use the dev forums: https://community.shopify.dev

Note there’s two customer systems: legacy customer accounts and customer accounts, the Storefront API(customer features) and Customer account api do not overlap keep that in mind in research.

Hi @phelgren shopify P****lus enterprise plans only: for third party auth there is multipass.

For everyone else, some options:

  1. make the store require custom accounts and automate account invites.
  2. if this is for the online-sales channel just use the locksmith app or other similar content gating app.
  3. :bomb: themes/liquid do not give access to server headers; nor does it expose the querystring( url parameters) without hacks.
  4. look at headless auth but assume ongoing development to make it maintain it

Roughly without an app in the mix shopify has no global auth/callback system; it is not an identity provider?.

Archived resources

Beyond that without more research/testing on your part your missing a ton of critical detail when this many moving parts start coming together that takes effort beyond the courtesy of a forum post to clarify everything to a straightforward question in order to have concise solution.

Good Hunting.

3

Thanks Paul. I guess I have more reading ahead.

How will this third-party that maintains the Shopify store know whether they are “legacy” or not and “Plus” or not? Or will it be obvious to them? They stood up the store about 4 years ago and are serving 100k users if that helps…

Pete

1 Like
4

Plus is a pricing plan, it’s ~$24k/year they will know.

Legacy customer accounts or new accounts are a setting.

https://help.shopify.com/en/manual/customers/customer-accounts

And also checkable through the api https://shopify.dev/docs/api/admin-graphql/2025-01/objects/CustomerAccountsV2#field-customeraccountsversion , https://shopify.dev/docs/apps/build/customer-accounts