Extension-Only App: How to authorize for Admin-API access from flow action?

Retired Boards Appdev Authentication

Topic summary

A developer is building an extension-only Flow Action app using AWS Lambda and needs to authorize Admin API access without a frontend.

Initial Challenge:

  • The app requires creating orders via Admin API when the flow action triggers
  • Unclear how to retrieve access tokens without OAuth Flow’s typical frontend requirement

Proposed Solutions:

  • Using API keys was suggested but would require manually adding a private app in the shop to obtain keys

Working Solution (Confirmed):

  • Set embedded to false in project settings (necessary for cookie handling)
  • Use AWS API Gateway HTTP-API routing to two Lambda functions on the same domain
  • Implement Authorization Code Grant Flow via the @shopify/shopify-api library
  • Convert requests/responses between HTTP-API Lambda payload format and Node.js format
  • Configure the API Gateway URL as the app’s application_url parameter
  • Register both Lambda function URLs (shopify.auth.begin and shopify.auth.callback) in the app’s auth[redirect_urls] parameter

Status: Resolved - backend-only implementation is possible but requires significant setup work and lacks comprehensive documentation.

Summarized with AI on November 6. AI used: claude-sonnet-4-5-20250929.
1

Hi,

I have a Flow Action extension only app.

What I try to archive is to access store data from my flow action, which is realized as an AWS Lambda function. Like everytime my flow action function is invoked, an order should be created.

But I have problems to find the correct authorization mechanism. Especially I want to know, how to retrive the access token for my app. Is it even possible to have a backend only implementation for this? If I understand the documentation correct, the OAuth-Flow always needs a frontend?

Thanks,

Michael

2

Hi Michael,

Would using an API key be an option?

1 Like
3

Hi and thanks for the reply!

How would that work? The best way would allow to authorise the App at App installation, maybe via a second lambda function to store the access key. API-Key would mean, there would be the need to manually add a private app in the shop to get the API-Key, correct?

4

So, for everyone looking for advice here: It is possible without frontend, but the whole process is not documented very well. First of all, you have to set embedded to false in the project settings (that is, because cookies are set, which will not work otherwise). Then, on AWS, I used API Gateway HTTP-API to route to two lambda functions, which both are responsible for the authentication process. Both functions must have the same domain. The authentication is done via the @shopify/shopify-api library, Authorization Grant Flow is the way to go. You have to convert the requests and responses from the HTTP-API Lambda Payload format(search for “Create AWS Lambda proxy integrations for HTTP APIs in API Gateway” to find the documentation, as links to amzn (even the word is forbidden) docs are not allowed in this board) to node requests/responses and vice versa to use them as the parameters for the shopify.auth.begin (handled in Lambda function 1) and shopify.auth.callback (Lambda function 2) functions. The API Gateway url which routes to the first Lambda function has to be used as the application_url config parameter of the shopify app. Both urls have to be inserted in the [auth]redirect_urls parameter.

Lot of stuff to work through, but it is possible.