Can I integrate external user authentication with Shopify checkout?

Shopify Discussion

Topic summary

A user wants to restrict cart and checkout access to registered users only, while allowing free browsing. They plan to use an external authentication system instead of Shopify’s native customer accounts.

Key Requirements:

  • Server-side enforcement to prevent bypassing login via direct API calls
  • Integration with external user service for authentication
  • Secure implementation using Shopify-native tools (Functions, checkout settings, app proxies)

Specific Questions:

  1. How to enforce login before purchase with external authentication
  2. Available Shopify-native options for secure enforcement
  3. Best practices for routing Add-to-Cart and Checkout through external auth checks
  4. Limitations for non-Plus stores
  5. Examples, code snippets, or apps supporting this workflow

Status: The discussion remains open with no responses yet. The user emphasizes security as a priority to prevent unauthorized purchases.

Summarized with AI on October 30. AI used: claude-sonnet-4-5-20250929.
1

Hi Shopify Community,

I want visitors to be able to browse products freely, but only registered users should be able to add items to the cart or proceed to checkout.

Instead of using Shopify’s native customer accounts, I plan to use an external user service (custom authentication system) for registration and login.

I’m looking for guidance on:

  1. Server-side solutions to enforce login before purchase, ideally integrating with an external user service.

  2. Shopify-native options like Shopify Functions, checkout settings, or app proxies for enforcing login securely.

  3. Best practices for routing Add-to-Cart and Checkout requests through an external authentication check.

  4. Limitations or pitfalls for non-Plus Shopify stores.

  5. Examples, code snippets, or apps that support external authentication before purchase.

Any tips or real-world implementations would be highly appreciated — I want to make sure users cannot bypass login, even via direct API calls.

1 Like