How can I get an offline access token for my custom app to store securely for further use?

I already have built a custom app using the latest Node template (https://github.com/Shopify/shopify-app-template-node)). I installed it in the development store and distributed it in another store. Now I am in need of an offline access token to use Shopify admin API.

Please guide me in obtaining an offline access token for my custom app; I will securely store it for usage.

Thanks in advance

Hey @rousnay ,

To perform an offline task (like processing a webhook), you can do something like:

async function someOfflineProcess() {
  const sessionId = await shopify.api.session.getOfflineId(shop)
  const session = await shopify.config.sessionStorage.loadSession(sessionId);
  const client = new shopify.api.clients.Rest({session});

  // Use the client, e.g. update a product:
  const products = await client.put({
    path: `products/${product.id}.json`,
    data,
  });
}

Let me know if you get stuck!

@SBD Thank you so much for your reply, yes I am trying to process a webhook (fulfillment notification) from another server.

I tried with the code above, but giving an error in ‘shop’ as an argument, I tried adding the shop URL directly (“iplaysafe-consultancy-app-store.myshopify.com”) as an argument, but it’s not working, (InvalidShopError: Received invalid shop argument).

How can I make it work?

Thanks again

That should do it. Can I please see your package.json?

const sessionId = await shopify.api.session.getOfflineId(shop) how to get shop here?

Hey @FaizaBashir

shop is the myshopify url, for example:

const sessionId = await shopify.api.session.getOfflineId('example.myshopify.com')

thank you for your response. How to get my shopify url. I am struggling with getting shop url and access token I tried many solutions but nothing seems to work. I am working on Shopify app with node and react following documentation. How to get access token and shop url in index.js or middleware?

Thanks a lot. Following the solution you provided, I have successfully got access token. But I hardcoded the shop url. How to get shop url?

Given a webhook is triggering this, you could pull the shop from the webhook headers (X-Shopify-Shop-Domain). Be sure to verify the webhook before trusting the value.

Thanks a million. I am new to shopify app develpment and I am wrking on a test app for learning. No, its noot being triegered by webhook. Can you please share example of getting shop url both with and without webhook?

I see this endpoint in index.js inside createServer function. How to call this in index.js or middleware? When i call this endpoint with axios i get eeror invlid url.

app.get(“/api/shop”, async (_req, res) => {
// Refer to docs: https://shopify.dev/docs/api/admin-rest/2023-01/resources/shop#resource-object
const shopData = await shopify.api.rest.Shop.all({
session: res.locals.shopify.session,
});
res.status(200).send(shopData);
});

Could you please help me. I searched alot but couldnt find solution. How i get shop url? I am stuck please help

Could you please help me? How to get shop url in backend? in index.js or middleware. I want to call script tag api how to get shop here

https://{shop}/admin/api/2021-04/script_tags.json
how did you get shop here await shopify.api.session.getOfflineId(shop)

Hey @rousnay, Could you please help me. How to get shop url?

Hey, @SBD I am waiting for your response,please help me. How to get shop url?

Hey @FaizaBashir

Our wires might be getting crosses - can you please provide a description of the app you’re building / what you need the token for?

Also be sure to check out the tutorial to familiarize yourself with the Shopify App concepts: https://shopify.dev/docs/apps/getting-started/build-app-example

@SBD I am working on a test wishlist app with node and react for learning. I am using script tag api. I am able to get access token but how to get shop url here?

await axios.post({shop}/admin/api/

LATEST_API_VERSION

/script_tags.json;
, scriptTagBody, { headers: shopifyHeader(token) })
.then(response => { console.log(response); })
.catch(error => console.log(error));

The shop can be obtained from the session:

app.post("/api/install", async (_req, res) => {
  console.log(res.locals.shopify.session.shop);
});

The app template comes with REST and GraphQL clients, so you don’t need to manually construct the requests with Axios. Here’s an example of creating a script tag with the REST client:

app.post("/api/install", async (_req, res) => {
  const client = new shopify.api.clients.Rest({session: res.locals.shopify.session});

  await client.post({
    path: "script_tags",
    data: {"script_tag":{"event":"onload","src":"https://some-example.com/script.js"}},
  });

  ... 

});

@SBD thanks a million. I tried the code you provided but its not being called. I am using express. I tried both in index.js and middleware but this is not executed.

const app = express();
app.post(“/api/install”, async (_req, res) => {
console.log(res.locals.shopify.session.shop);
});

here is my index.js code

import scriptTags from ‘./middleware/scriptTags.js’;
import shopify from “./shopify.js”;

const app = express();

app.post(“/api/install”, async (_req, res) => {
console.log(res.locals.shopify.session.shop);
});

const sessionId= await shopify.api.session.getOfflineId(‘test.myshopify.com’);
const session= await shopify.config.sessionStorage.loadSession(sessionId);
const client = new shopify.api.clients.Rest({session});
console.log(client)
const USE_ONLINE_TOKENS = false;

const result=scriptTags(app);

const PORT = parseInt(process.env.BACKEND_PORT || process.env.PORT, 10);

// TODO: There should be provided by env vars
const DEV_INDEX_PATH = ${process.cwd()}/frontend/;
const PROD_INDEX_PATH = ${process.cwd()}/frontend/dist/;

const DB_PATH = ${process.cwd()}/database.sqlite;

Shopify.Context.initialize({
API_KEY: process.env.SHOPIFY_API_KEY,
API_SECRET_KEY: process.env.SHOPIFY_API_SECRET,
SCOPES: process.env.SCOPES.split(“,”),
HOST_NAME: process.env.HOST.replace(/https?:///, “”),
HOST_SCHEME: process.env.HOST.split(“://”)[0],
API_VERSION: LATEST_API_VERSION,
IS_EMBEDDED_APP: true,
// This should be replaced with your preferred storage strategy
// See note below regarding using CustomSessionStorage with this template.
SESSION_STORAGE: new Shopify.Session.SQLiteSessionStorage(DB_PATH),
…(process.env.SHOP_CUSTOM_DOMAIN && {CUSTOM_SHOP_DOMAINS: [process.env.SHOP_CUSTOM_DOMAIN]}),
});

// NOTE: If you choose to implement your own storage strategy using
// Shopify.Session.CustomSessionStorage, you MUST implement the optional
// findSessionsByShopCallback and deleteSessionsCallback methods. These are
// required for the app_installations.js component in this template to
// work properly.

Shopify.Webhooks.Registry.addHandler(“APP_UNINSTALLED”, {
path: “/api/webhooks”,
webhookHandler: async (_topic, shop, _body) => {
await AppInstallations.delete(shop);
},
});

// The transactions with Shopify will always be marked as test transactions, unless NODE_ENV is production.
// See the ensureBilling helper to learn more about billing in this template.
const BILLING_SETTINGS = {
required: false,
// This is an example configuration that would do a one-time charge for $5 (only USD is currently supported)
// chargeName: “My Shopify One-Time Charge”,
// amount: 5.0,
// currencyCode: “USD”,
// interval: BillingInterval.OneTime,
};

// This sets up the mandatory GDPR webhooks. You’ll need to fill in the endpoint
// in the “GDPR mandatory webhooks” section in the “App setup” tab, and customize
// the code when you store customer data.
//
// More details can be found on shopify.dev:
// https://shopify.dev/apps/webhooks/configuration/mandatory-webhooks
setupGDPRWebHooks(“/api/webhooks”);

// export for test use only
export async function createServer(
root = process.cwd(),
isProd = process.env.NODE_ENV === “production”,
billingSettings = BILLING_SETTINGS
) {

app.get(“/electronics”, function (req, res) {
res.send(“This is the electronics category”);
});
app.get(shopify.config.auth.path, shopify.auth.begin());
app.get(
shopify.config.auth.callbackPath,
shopify.auth.callback(),
shopify.redirectToShopifyOrAppRoot()
);

app.set(“use-online-tokens”, USE_ONLINE_TOKENS);
app.use(cookieParser(Shopify.Context.API_SECRET_KEY));

applyAuthMiddleware(app, {
billing: billingSettings,
});

// Do not call app.use(express.json()) before processing webhooks with
// Shopify.Webhooks.Registry.process().
// See https://github.com/Shopify/shopify-api-node/blob/main/docs/usage/webhooks.md#note-regarding-use-of-body-parsers
// for more details.
app.post(“/api/webhooks”, async (req, res) => {
try {
await Shopify.Webhooks.Registry.process(req, res);
console.log(Webhook processed, returned status code 200);
} catch (e) {
console.log(Failed to process webhook: ${e.message});
if (!res.headersSent) {
res.status(500).send(e.message);
}
}
});
app.get(“/api/shop”, async (_req, res) => {
console.log(“Calling api”)
// Refer to docs: https://shopify.dev/docs/api/admin-rest/2023-01/resources/shop#resource-object
const shopData = await shopify.api.rest.Shop.all({
session: res.locals.shopify.session,
});
res.status(200).send(shopData);
});

// All endpoints after this point will require an active session
app.use(
“/api/*”,
verifyRequest(app, {
billing: billingSettings,
})
);

app.get(“/api/products/count”, async (req, res) => {
const session = await Shopify.Utils.loadCurrentSession(
req,
res,
app.get(“use-online-tokens”)
);
const { Product } = await import(
@shopify/shopify-api/dist/rest-resources/${Shopify.Context.API_VERSION}/index.js
);

const countData = await Product.count({ session });
res.status(200).send(countData);
});

app.get(“/api/products/create”, async (req, res) => {
console.log(“…product creator”)
const session = await Shopify.Utils.loadCurrentSession(
req,
res,
app.get(“use-online-tokens”)
);
let status = 200;
let error = null;

try {
await productCreator(session);
} catch (e) {
console.log(Failed to process products/create: ${e.message});
status = 500;
error = e.message;
}
res.status(status).send({ success: status === 200, error });
});

// All endpoints after this point will have access to a request.body
// attribute, as a result of the express.json() middleware
app.use(express.json());

app.use((req, res, next) => {
const shop = Shopify.Utils.sanitizeShop(req.query.shop);
if (Shopify.Context.IS_EMBEDDED_APP && shop) {
res.setHeader(
“Content-Security-Policy”,
frame-ancestors https://${encodeURIComponent( shop )} [https://admin.shopify.com](https://admin.shopify.com);
);
} else {
res.setHeader(“Content-Security-Policy”, frame-ancestors 'none';);
}
next();
});

if (isProd) {
const compression = await import(“compression”).then(
({ default: fn }) => fn
);
const serveStatic = await import(“serve-static”).then(
({ default: fn }) => fn
);
app.use(compression());
app.use(serveStatic(PROD_INDEX_PATH, { index: false }));
}

app.use(“/*”, async (req, res, next) => {
if (typeof req.query.shop !== “string”) {
res.status(500);
return res.send(“No shop provided”);
}

const shop = Shopify.Utils.sanitizeShop(req.query.shop);
console.log("Shop name is ")
console.log(shop)
const appInstalled = await AppInstallations.includes(shop);

if (!appInstalled && !req.originalUrl.match(/^/exitiframe/i)) {
return redirectToAuth(req, res, app);
}

if (Shopify.Context.IS_EMBEDDED_APP && req.query.embedded !== “1”) {
const embeddedUrl = Shopify.Utils.getEmbeddedAppUrl(req);

return res.redirect(embeddedUrl + req.path);
}

const htmlFile = join(
isProd ? PROD_INDEX_PATH : DEV_INDEX_PATH,
“index.html”
);

return res
.status(200)
.set(“Content-Type”, “text/html”)
.send(readFileSync(htmlFile));
});

return { app };
}

createServer().then(({ app }) => app.listen(PORT));