I think the only thing you got wrong is the actual user flow you expect. When a user accesses your App via an URL, they do not LOGIN to your App, instead, they provide the shop name so you can initiate oAuth. That is where you made a mistake I think. If you want people to login to your App, separate from Shopify, you do that at some other URL, and take of that outside the Shopify flow.
Topic summary
Main issue: how to structure OAuth for unlisted Shopify apps so that OAuth initiates immediately from the App URL, independent of the app’s own login or onboarding.
Key guidance and resolutions:
- OAuth must be the first step when a merchant reaches the App URL. Prompt for the shop (myshopify.com) and initiate OAuth; do not require your app’s login first. Your own app authentication should be separate and occur after OAuth.
- For multi-tenant subdomains, centralize OAuth on a single domain (e.g., www). Flow used successfully: receive shop param → initiate OAuth → save token (not yet tied to a user) → ask user to log in → associate token to the logged-in user → redirect to their tenant subdomain.
- Billing API: perform OAuth first, obtain the access token, then prompt app login and run any billing steps. Avoid mixing app-login during the initial OAuth step.
Recent update/constraint (2024): reviewers flagged flows that request manual entry of a shop’s domain (myshopify.com) as not allowed. How to handle shop identification without manual entry remains unresolved in the thread.
Notes: Links/images illustrating Shopify’s OAuth flow and a reviewer screenshot are central. Discussion remains partially open regarding the “no manual shop entry” requirement.
1 Like