Will cookie-based authentication stop working?

Retired Boards Appdev Custom Storefronts

Topic summary

Developers are concerned about whether cookie-based authentication will stop working for their Shopify apps. The main issue involves two private embedded apps built with React and Koa.js using the deprecated koa-shopify-auth package.

Key Technical Details:

  • Apps currently use cookie-based authentication instead of session tokens
  • Not using the newer @Shopify/shopify-api for request verification
  • Backend calls Shopify API through axios client

Shopify’s Official Response:

  • All embedded apps must use session tokens because third-party cookies don’t work in browsers restricting cross-domain access
  • No hard deadline exists for when cookie authentication will stop working
  • For public apps: users may be unable to access the app if their browser blocks third-party cookies
  • Apps posing user risk during the audit process may be contacted and required to migrate immediately

Current Status:

  • Multiple developers report facing the same issue
  • Migration to session tokens appears necessary, though timing remains flexible for private apps
  • Public apps face more immediate pressure due to browser cookie restrictions
Summarized with AI on November 20. AI used: claude-sonnet-4-5-20250929.
1

Hi all,

I am running two self-built private apps on a production shopify. The 2 apps are embedded app with react frontend and koa.js backend and the authentication are using the deprecated koa-shopify-auth (https://github.com/Shopify/koa-shopify-auth). Here shopify node package versions of the 2 apps.

  1. KoaJS backend
    @shopify/koa-shopify-auth”: “^3.1.70”,
    @shopify/koa-shopify-webhooks”: “^2.5.0”

  2. React frontend
    @shopify/app-bridge-react”: “^1.27.2”,
    @shopify/polaris”: “^5.2.1”,
    @shopify/polaris-icons”: “^3.12.0”,
    @shopify/react-router”: “0.0.34”

The koa-shopify-auth is deprecated and it suggested the user to migrate the cookie-based authentication to session tokens. On the other hand, i am not using the @Shopify_77 /shopify-api for verifying the http request from the reactjs frontend. And the backend koajs calls the shopify api thru axios client.

So my question is if i keep the following setup, will it stop working in the upcoming shopify update like the winter 2023?

Thanks.

Regards,

Kit

2

Last time I checked Shopify-Koa uses JWT authentication

3

I am facing same problem for my public app ?
Did you get any solution or migration is the only option?

Thanks,
Pravin

1 Like
4

No update yet.

5

Got the reply from shopify support, they said according to their documentation
https://shopify.dev/docs/apps/auth/oauth/session-tokens

All embedded apps need to use session tokens because third-party cookies won’t work with browsers that restrict cross-domain data access. If your embedded app still uses cookies and could pose a risk to users, then as part of our app audit process you might be contacted and requested to migrate your app to use session tokens. This request will require immediate action.

So i guess there is no a deadline when the cookie authentication will stop working. But if your app is a public app, they user may not able to use it if their browser blocked the 3rd party cookies.