Ad

Authentication Process After Merchant Installed The App

- 1 answer

I've implemented embed app installation process and got access token for shop on backend. How do i supposed to authenticate user when he open the app now? There is no shop name and hmac in query string when user open my app.

Ad

Answer

When you get a token back, for a shop, you are supposed to store that token in your persistence layer so you can re-use it, and to start a session. Whenever Shopify sends a request to your app they include the shop name so you can look it up and get the token and start a session. Requests without a shop name and no session spell re-authentication time.

Are you missing the part about starting a session? If someone is trying to access your App without authenticating, you need to block that access obviously. The tricky thing is ensuring all requests from your App to your App include the shop name so that if the session you started expires, you have a chance of re-authenticating one.

Ad
source: stackoverflow.com
Ad