Shopify app dose not work while blocking third party cookies in incognito mode

Shopify Apps
, , , ,

Topic summary

Main issue: A Shopify embedded app hosted at app.juthor.sa loads in normal browsing but fails in incognito when third‑party cookies are blocked. No requests reach the server, suggesting the authentication/session handshake (likely cross‑domain) is failing before the Flutter app is invoked.

Suspected cause: Shopify’s embedded app flow relies on cookies for session/auth across domains; blocking third‑party cookies prevents the cross-site cookie exchange, breaking initial auth.

Proposed approaches:

  • Use token-based authentication (OAuth or JWT) instead of relying on cookies. OAuth is a standard authorization flow; JWT is a signed token carrying user/session claims.
  • If cookies are required, set them with SameSite=None; Secure so they can be sent in cross-site contexts over HTTPS.

Open questions: The app author asks whether these settings must be applied on the server side (cookie attributes and token issuance/validation).

Status: No confirmed fix or decision yet. Shopify will not accept the app until this third‑party cookie issue is resolved. No images/code snippets are central to the discussion.

Summarized with AI on December 16. AI used: gpt-5.
1

Hi everyone,

I’m facing an issue with my Shopify app integration, and I need some help. Here’s the situation:

My app is hosted on app.juthor.sa, and everything works fine in normal mode.
However, when I try to load the app in incognito mode with third-party cookies blocked, it doesn’t load.
In incognito mode, Shopify doesn’t seem to send any requests to my server (app.juthor.sa). It appears to be failing at the authentication step or during the initial attempt to communicate with my server, so my Flutter app is never requested.
I suspect this is related to how Shopify handles cross-domain requests or authentication when third-party cookies are blocked.

Could anyone guide me on how to resolve this? Should I be handling authentication or session management differently (e.g., token-based methods or adjusting cookie settings)?

Shopify refused to accept the app until solving this problem.

Thanks in advance!

2

Thanks Olamide2

  1. Use token-based authentication (OAuth or JWT) instead of cookies.
  2. Set cookies with SameSite=None; Secure to allow cross-site requests over HTTPS.

Should I do these settings on my server side ?