Shopify app that works with an external website

Retired Boards Appdev Tools

Topic summary

Main issue: App review rejected because installation redirects to an external login page before initiating Shopify OAuth. Shopify requires starting OAuth immediately after the merchant clicks Add app so permissions are granted before any data association.

Proposed flow change:

  • First: Initiate OAuth and complete installation. Rationale: Merchant must grant access before data sharing.
  • Then: Associate the installed store with an existing user in the external service.

Suggested technical steps:

  • Check if an offline token (long‑lived access token) exists for the store.
  • If not, redirect to OAuth to obtain it.
  • After OAuth, check if the store is linked to a user record in your database.
  • If not linked, redirect to a page to connect the store with a user account.

Clarifications:

  • OAuth: standard authorization flow to obtain permissions from the merchant.
  • Offline token: persistent token for API access when the merchant is not online.

Status: The app developer will try the revised flow and report back. Another participant requested results. No final resolution yet.

Summarized with AI on January 21. AI used: gpt-5.
1

Hello,

We’re trying to submit an app to the Shopify store that works with our online accounting website. The idea is simple: we have clients who have Shopify stores and would like to use our website to generate invoices for their Shopify orders.

They can install the Shopify app straight from our website which follows the OAuth procedure. However, that cannot happen until our app is listed publicly in the store and in order to do that we have to follow the ‘install procedure’ required by the shopify app submission process. This goes through installing the app via a test Shopify store on the shopify website itself. So in order to install the app we need to associate a user from our service with a shopify store owner. Hence, we redirect to our website, where after authentication, the user can connect their shopify store to our service account. However, our app keeps getting rejected because we’re supposed to redirect the user immediate to the OAuth process:

“There was an error installing your app. The app must be installed to perform the security check. We expected OAuth to be initiated at https://app-security.myshopify.com/admin/oauth/authorize but were redirected to https://nula.bg/login. Your app must request installation immediately after clicking “add app.” Apps must request shop access during installation, or reinstallation if the app was previously uninstalled from the shop.”

Can anyone help out? I think our use case is pretty standard, how can we achieve our goals and get through the approval process?

Thanks!

2

Hey there,

If I’ve understood correctly your desired flow when installing the app is in this order

  1. Connect the store with a user record you have
  2. Go through OAuth the install the app.

It sounds like you need to switch the order these two things, e.g:

  1. Go through OAuth the install the app.
  2. Connect the store with a user record you have

Technically this would look something like:

  1. Check if you have an offline token for this store
  2. Redirect to OAuth if not
  3. Check if you have a user record from your database associated wit the store.
  4. Redirect to a page where they can connect the store with your user record if not.

Does that sound possible?

I think the order matters here because a merchant has to give permission to share data before they actually share data. If a user first connects their store with your user record, then they have not yet given permission to share any data.

Richard

3

Thanks for the feedback. We’ll give this a try and we’ll write back the result.

2 Likes
4

curious to know the results :slightly_smiling_face: