Main issue: Securing a bearer token for a 3rd‑party API while displaying that API’s data in a Shopify Admin UI extension (Order/Product pages) without exposing the token to staff; only the installing admin should configure it.
Proposed approach:
Store the bearer token only on the app’s backend; never in the browser or extension code.
Use Shopify session tokens to authenticate the app with Shopify; these are short‑lived.
Perform all third‑party API requests server‑side using the stored token.
Return only the needed data from your server to the extension over HTTPS.
OP’s concern: Existing docs don’t clearly show how an Admin Block Extension can render data sourced from a non‑Shopify API via this backend flow. They request concrete, step‑by‑step guidance for wiring the extension to call their app backend, which then calls the external API and returns sanitized data.
Status/outcome: No specific implementation details were provided; discussion remains open.
Key terms: bearer token (static API credential); session token (short‑lived auth token issued by Shopify).
Media: One linked video highlighting the documentation gap.
Setup: I have an extension UI on Order, Product details page and I want to populate the data from 3rd party api authenticated using bearer token to be display in the Extension.
Problem: I want the bearer token to be secured in the app settings. I dont want the token to be visible in browser to the staff (Good Case: Only the admin who configures the app during install)
Can you help me understand the Authentication Strategy. I have gone through some docs but they weren’t clear on this bit.
From your description it seems that you want to ensure the security of the bearer token used to authenticate your app with a third-party API. Shopify provides a few ways for you to securely store and use tokens within your app.
Here’s a quick guide on how you might set up your authentication strategy:
Store the token securely: The token should be securely stored on your app’s backend server and not be exposed to the client-side or browser. This ensures that only your server has access to the token.
Use session tokens for app authentication: For authenticating your app with Shopify, you can use Shopify’s session tokens. These are secure and automatically expire after a period, providing an additional layer of security.
Backend to Third-party API requests: All requests to the third-party API that require the bearer token should be made from your server. This way, the token is never exposed to the client-side.
Server to Extension UI data transfer: After your server retrieves data from the third-party API, the data can then be sent from your server to the Extension UI where it can be displayed. This should be done in a secure manner, for example, over HTTPS.
Remember, the key idea here is to never expose sensitive tokens on the client-side and to always make secure requests from your server to the third-party API.
For more detailed, I’d recommend checking out the Shopify Developer Documentation, specifically the sections on App Authentication and Oauth.
I have gone through docs and havent found answers on question: hit an external (non shopify) api and get that info rendered in the admin block extension. I even found a video of someone stating the same . If you could be more specific in your direction, I’d happy to dig deeper and solve this for myself and others.
