Shopify Embedded App Authenticating Requests To My Postgresql Db

- 1 answer

Does shopify have a method of authenticating requests to my postgresql db. I was given code to a shopify embedded app done using ruby on rails (backend) and react.js with Polaris (front end) and I see that the front end makes requests to the backend without any headers or authorization.


.then(response=> {
.catch(error=> {

This seems to work and print outs the response from the backend.

However, when I run the server and make the GET request through Postman, passing in this URL:


I can see in my terminal that I get status 302 (redirected to login).

Processing by Api::MainController#vendor as JSON
Redirected to https://<NGROK_URL>/login
Completed 302 Found in 19ms (ActiveRecord: 0.0ms)

I’m wondering if there’s some sort of authentication that shopify does when developing an embedded app that I’m unaware of. For example does it implicitly pass in some token? If so, where can i find this. Sorry for this question if it sounds newby, I’m pretty new to shopify dev.



Shopify usually passes a hmac argument that needs to be validated in the backend.

This hmac includes mostly static information like your store name, timestamp, language etc... but the important part is that is salted with the APP password.

You can read more about this here:

This means that you can't make requests outside of Shopify.