A developer building a custom Thank You page extension encountered authentication issues when calling their backend API. The session token was empty, and useSessionToken returned errors.
Root Cause:
useSessionToken only works in admin contexts, not in Checkout UI extensions
Storefront contexts require a different authentication approach
Solution Provided:
Use the fetch function from the useApi() hook in the frontend extension
Shopify automatically injects a secure JWT in the header when using this specific fetch method
On the backend, use authenticate.checkout(request) from @shopify/shopify-app-remix to verify the token
Outcome:
The developer found an alternative solution using order attributes from the API object, avoiding the need for backend calls
They plan to apply the authentication method for future cart page functionality that will require API support
Status: Resolved for current use case; solution documented for future implementation.
Summarized with AI on October 24.
AI used: claude-sonnet-4-5-20250929.
I am developing a Thank you page extension that calls my backend API to retrieve some data from my DB. It is a custom app for one store. Still in development and not published the app yet.
I am not able to get the session token in the extension to be passed to the backend API to authenticate the request.
The sessionToken in api object is empty. useSessionToken is returning error.
Shopify AI assistant says I dont need to set the token in header as shopify will automatically inject it but it is not getting set at all in the request header.
I could not find any documentation about the limitation for Thank you page extension (Checkout UI extension) in getting session token to pass to backend API.
The useSessionToken hook is only for your app’s admin section and won’t work in a Checkout UI extension. For this storefront context, you must use Shopify’s specific authentication method for UI extensions.
On your frontend Thank You page extension, get the fetch function from the useApi() hook. When you use this specific fetch to call your app’s backend, Shopify automatically attaches a secure JWT in the header. You do not need to get or set any token yourself.
In your backend Remix API route, you then verify this token. The @shopify/shopify-app-remix package provides a specific function for this. Simply protect your loader or action with await authenticate.checkout(request). This will validate the incoming request and give you a secure session, solving the authentication issue.
Thanks a lot. I moved on from API as the order attributes was available in the api object. However, I am extending functionality in cart page, that for sure will require API support. Will try and see how I go.