Can a public Shopify app collect user API keys (to access a different website)?

Retired Boards Appdev Fulfillment Api
,

Topic summary

Main issue: Whether a public Shopify app may ask merchants to provide API keys for their external print‑on‑demand services (e.g., Printify, Gooten) so the app can operate on both the POD platform and the Shopify store.

Key concern raised: A responder notes the Shopify App Store review team could view manual API key collection as a poor merchant experience. Merchants often lack the skills to manage keys (including updates/rotation), and having them enter keys manually may be problematic.

Suggested direction: Ideally, credential handling should be managed by the app rather than requiring merchants to manually obtain and input API keys.

Status/outcome: No definitive policy ruling or confirmation from experience was provided. The thread remains open with the practical takeaway to design a flow where the app manages credentials to avoid manual key entry by merchants.

Summarized with AI on December 20. AI used: gpt-5.
1

I have a pretty useful Shopify App idea where, for it to work as envisioned, the user would need to provide the API Key that would give the app access to their print-on-demand store (e.g., Printify, Gooten, etc). The app would then be able to perform certain functions both on their print-on-demand store AND on their Shopify store.

My question is this: Is this allowed under the Shopify App developer policies? I’ve already spent hours reading through their extensive documentation and lists of rules/restrictions, and given that so many things are not allowed, I would hate to spend tons of time/development effort creating an app that just gets rejected because they don’t like the idea of collecting + using user API keys in this way from a separate website.

Does anyone have experience developing public-facing Shopify Apps that do, indeed, work in this way, and who can confirm that this is allowed?

Thanks!

2

Hi Anton - is the issue you’re expecting that merchants would have to manually get and enter an API key? It’s possible the Shopify App Store review team may see this as a less than ideal experience as merchants often will lack technical skills to manage API keys (which may need to be updated/ rotated). Ideally handling API credentials should be managed by your app rather than manually by the merchant.