Hi everyone, we are developing a new Shopify app and planning to submit it. We are using Osiset laravel with reactJs. We noticed that there is a restriction for the embedded app from the Requirements for apps in the Shopify App Store.
Embedded apps that don’t use session tokens - Embedded apps submitting to the Shopify App Store must use session tokens to authenticate.
So we used appBridge to get session token from shopify and I added it to the header of each axios call. Now the app works as expected in Chrome browser, but embeded app doesn’t work in incognito mode.
In addition, I have two questions regarding the implementation of session tokens:
- Does the session token need to be used even if the backend does not call the Shopify API?
- What is the best way to determine whether we are meeting the requirement? I saw some apps got rejected because The app shows an error when the 3rd party cookies are blocked.