Shopify Embedded App - Need To Get List Of Orders

- 1 answer

I have initialized a Shopify Embedded App. How do I get data (for example the data accessed at /admin/orders.json)? Since I am already in the store's domain at this point can I call the URL directly, or do I need to make a call to my web server, which will in turn call the api? If I am meant to call my own server how am I meant to handle security (i.e. how do I know that the request is legit)?




If you call the URL directly in your embedded app's JavaScript then the request will be send but you won't be able to read the response due to the lack of Access-Control-Allow-Origin header in Shopify's response. For example in Chrome console you'll see an error like this:

Shopify no CORS error

This is the result of same-origin policy, a security mechanism implemented in all major browsers.

So you first need to call your server and then make a call to the Shopify API. You can ensure that the request from your app is legit by verifying the HMAC that Shopify appends as a query param.