Storefront api + private app security concern

weiwanghasbeen · April 27, 2021, 9:38am

Hi,

I am trying to integrate Shopify to a website for a client. No login. No cart. Just a button that leads to the checkout page. I know this can actually be done easily with Buy Buttons, but I want to take this chance to learn more about storefront api.

Anyway, the website works well. The workflow is using the handle of a product to get the variant id, then creating a checkout with the variant id and getting its webUrl, then redirecting when a button is clicked.

I was wondering if this sounds secure cause all the data used in the flow (access token of private app, online store url, handles) are public. I used Stripe before and it requires a private key for a similar process. Now I just want to make sure that I didn’t upload anything that shouldn’t be public on github.

Thanks in advance,

Wei

c10s · April 27, 2021, 3:00pm

Yes, the Storefront API (and the ‘storefront access token’) is intended for client-side code so you’re safe doing what you’re doing.

However you never want the Admin API and corresponding access token to be exposed to the client, that API should only ever be used in server-side code.

weiwanghasbeen · April 28, 2021, 8:04am

awesome. thanks a lot!

W

Topic		Replies	Views
API key visible in embedded code Custom Storefronts	9	82	December 8, 2020
Custom client-side app: security concerns and storefront api questions Custom Storefronts Setting-Up	1	14	December 8, 2022
Is it ok that Storefront API's Access token is public? Custom Storefronts	0	12	August 23, 2022
Difference between Storefront access token and API Key Custom Storefronts	1	318	March 28, 2021
Unauthenticated Shopify API Custom Storefronts	1	63	November 19, 2019

Storefront api + private app security concern

Related topics