Cookie not returned in install callback request object

New Member
1 0 0


I just got started building a Shopify app, so I'm following the tutorial here: I'm using Node for my endpoint. I've successfully done everything and can make api calls with a permanent access token...

The problem I'm having is that the request object attached to the `/shopify/callback` route that is redirected to when the person installs my app does not contain the cookie I sent with the response when I redirected to the shopify app install page. So I can't verify the origin of the request was from me.

I'll paste in the relevant code I am referring to:

app.get('/shopify', (req, res) => {
  // other code emitted for sake of brevity
  const state = nonce();
  const redirectUri = forwardingAddress + '/shopify/callback';
  const installUrl = 'https://' + shop +
      '/admin/oauth/authorize?client_id=' + apiKey +
      '&scope=' + scopes +
      '&state=' + state +
      '&redirect_uri=' + redirectUri;
  res.cookie('state', state); // <---- HERE IS WHERE I'M SETTING THE COOKIE TO CHECK THE ORIGIN

app.get('/shopify/callback', (req, res) => {
  const { shop, hmac, code, state } = req.query;

  const stateCookie = cookie.parse(req.headers.cookie).state;

  if (state !== stateCookie) { <----- ALWAYS TRUE, SO REQUEST ORIGIN IS NOT VERIFIED
    return res.status(403).send('Request origin cannot be verified');

I've checked the req/res objects for this cookie in the /shopify/callback route, but there's never a cookie...

I have noticed that sometimes when redirected to the shopify install page, a red alert appears and says something like "this page doesn't accept third party cookies", so I'm wondering if that has something to do with it...?

Any ideas why the cookie doesn't come back with the callback request object?

Replies 6 (6)
New Member
2 0 1

Did you get an answer for this???

Shopify Partner
1 0 0

I had the same issue.

If you followed this tutorial you are using ngrok to expose your development environment to Shopify servers.

You're asking Shopify to redirect user to your callback url but you're starting your authorization flow from http://localhost:3000 so the cookie you are setting at the first step is available from localhost domain but invisible to the domain where user will be redirected to at the end of the authorization flow (


Try start your authorization flow from and it will work.



New Member
1 0 0



I am making my authorization from ngrok. While authorizing, it works fine but when i click on app in my store in gives me an error. When i console req.headers.cookie, it is undefined. Can you please help me out ? The code is same as above.

13 1 1
Shopify Partner
1 0 0
const cookie = require("cookie");
const nonce = require("nonce")();

to access that store cookie
 const state = nonce();
 res.cookie("state", state, { httpOnly: falsesecure: truesameSite: "none" });

to access that store cookie
 const stateCookie = cookie.parse(req.headers.cookie).state;

happy coding 🙂
Shopify Partner
43 0 7

When you access your install endpoint, which in your case is:


 you need to access it via ngrok, like so:



If you access it via localhost it won't work @manyar82 mentioned