We have a question regarding securing our private app which we created on our store via the admin settings > apps section.
The app was created on shopify by us as the admin, the credentials that Shopify displayed on the app says that it should only be shared with a trusted party/ a developer.
From time to time, we work with external developers on a contract basis who can view the credentials since it’s stored on our files to make the read,write connections between our own server and to our shopify store possible.
However once the contract with our external developers ends, we find that we cannot edit the credentials, this makes us feel like our shop and storefront connections are exposed, which leaves an uncertain feeling.
Custom apps seem to have a function for creating new tokens, but our Private app does not have it. Which is very strange, given that we are told to only share with trusted parties (meaning it’s something that should be editable in case of anything). How can we always guarantee trust when we work with different people and sometimes agencies with big teams for the first time?
Does anyone know how we can edit a private app credentials or at least generate a new Storefront access token? this seems like it is not possible.
We reached out to the shopify support team and have been referred to this community.
Private apps don’t have a way to regenerate the credentials and have been deprecated since January 2022, so the solution is to create an in-store custom app to replace the private app and to move forward with the custom app’s credentials instead. Some great related documentation is here: [In-store custom app credentials - Shopify Dev Docs]
Thank you for your feedback. We are indeed aware that the private app was deprecated, however we still use it. We are using its Webhook API to connect to our server. Updating the webhook version has caused issues in the past, we had to stick to an old version as recommended by shopify, which luckily guaranteed that they will keep supporting the older webhook versions even ones as old as 2020. This is also why we haven’t shifted to custom apps yet.
We were hoping there was another way around this, since the shop works well.
It is unfortunate and suprising to hear that the private app credentials were not made in a way that could be updated, even though meant to be kept secret yet needed to be shared.
I have also noticed we are also going to face the same problem with custom apps, i have just checked and installed it and i see there is no way we can update the credentials (shared key, storefront access tokens, api key, secret key) in the future, there is no button or function for generating new credentials. Why is that the case?
I have just stumbled on this information, and possible solution but for custom apps. If we use the custom app we may need to uninstall the app in order to generate new tokens.
…
"Rotating API credentials for admin-created apps Anchor link to section titled “Rotating API credentials for admin-created apps”
To rotate the API credentials for a custom app that was created in the Shopify admin, you need to uninstall and reinstall the app. To uninstall and reinstall your app, refer to the Custom apps documentation on the Shopify Help Center." https://shopify.dev/apps/auth/admin-app-access-tokens
Is this the right solution for a custom app that is created on the merchant admin side?
it would be great for merchants like me who lack technical skills, to have a better and easier user interface that shows it’s possible, perhaps not many know that they need to uninstall and reinstall the app to generate new tokens. And they might have to rely on sharing it so the files or code where it’s stored can be updated as well. Luckily on my side, i can get around a bit of programming or when it comes to editing a file with fewer risks of breaking anything.
My impression with shopify is that it’s more pro-developer than pro-merchant, it’s not built for merchants as their key customers or target
Thanks for your reply and feedback. Yes that’s correct, there’s an ‘Uninstall’/‘Install’ button on the summary tab of the custom app page in the admin for that purpose, which is different than deleting the custom app and recreating it.
We’ll look into improving the details about regenerating the access token on the [Help Center page about custom apps] to make this more clear in the future.
It’s important to note that upon uninstallation things that can be registered into the system via API with a custom app access token like webhooks are removed for security and need to be re-registered using the new access token in order to start working again.
So if working with an app developer the custom app should include a way to re-register those or if making manual API calls to register them during development a detailed list should be kept with instructions so they can be re-added at a later time if necessary.
Thanks Jon, very good insight and steps to follow. I feel more informed now on what we need to do.
I look forward to the improvement from Shopify’s side. This is a very important feature as said it should be secret, handled with care… not managing it well, having customers data easily exposed might also bring a lot of legal problems especially for merchants in the EU who are trying to stick to the GDPR Guidelines.