Once the library is set up for your project, you'll be able to use it to start adding functionality to your app. The first thing your app will need to do is to obtain an access token to the Admin API by performing the OAuth process.
To do this, you can follow the steps below. For more information on authenticating a Shopify app please see the Types of Authentication page.
Session persistence is deprecated from the ShopifyAPI library gem since version 12.3.0. The responsibility of session storage typically is fulfilled by the web framework middleware.
This API library's focus is on making requests and facilitate session creation.
If using in the Rails framework, we highly recommend you use the shopify_app gem to perform OAuth, you won't have to follow the instructions below to start your own OAuth flow.
- See
ShopifyApp's documentation on session storage
If you aren't using Rails, you can look at how the ShopifyApp gem handles OAuth flow for further examples:
- Session Controller
- Triggering and redirecting user to begin OAuth flow
- Callback Controller
- Creating / storing sessions to complete the OAuth flow
- Add a route to start OAuth
- Add an Oauth callback route
- Begin OAuth
- Handle OAuth Callback
- Using OAuth Session to make authenticated API calls
Add a route to your app to start the OAuth process.
class ShopifyAuthController < ApplicationController
def login
# This method will trigger the start of the OAuth process
end
endAfter the app is authenticated with Shopify, the Shopify platform will send a request back to your app using this route
(which you will provide as the redirect_path parameter to begin_auth method, in step 3 - Begin OAuth).
class ShopifyCallbackController < ApplicationController
def callback
# This callback method will be called once user grants permission to this app from Shopify Admin.
endUse ShopifyAPI::Auth::Oauth.begin_auth method to start OAuth process for your app.
| Parameter | Type | Required? | Default Value | Notes |
|---|---|---|---|---|
shop |
String |
Yes | - | A Shopify domain name in the form {exampleshop}.myshopify.com. |
redirect_path |
String |
Yes | - | The redirect path used for callback with a leading /. The route should be allowed under the app settings. |
is_online |
Boolean |
No | true |
true if the session is online and false otherwise. |
begin_auth method will return a hash result in the form of:
{
auth_route: String,
cookie: ShopifyAPI::Auth::Oauth::SessionCookie,
}| Key | Type | Notes |
|---|---|---|
auth_route |
String |
URI that will be used for redirecting the user to the Shopify Authentication screen |
cookie |
ShopifyAPI::Auth::Oauth::SessionCookie |
A session cookie to store on the user's browser. |
Your app should take the returned values from the begin_auth method and:
- Set the cookie in the user's browser. We strongly recommend that you use secure, httpOnly cookies for this to help prevent session hijacking.
- Redirect the user to authorization url defined by
auth_route.- This will redirect the user to the Shopify Admin page to authorize/grant permission to the app.
An example is shown below in a Rails app but these steps could be applied in any framework:
class ShopifyAuthController < ApplicationController
def login
shop = request.headers["Shop"]
# Builds the authorization URL route to redirect the user to
auth_response = ShopifyAPI::Auth::Oauth.begin_auth(shop: domain, redirect_path: "/auth/callback")
# Store the authorization cookie
cookies[auth_response[:cookie].name] = {
expires: auth_response[:cookie].expires,
secure: true,
http_only: true,
value: auth_response[:cookie].value
}
# Redirect the user to "auth_response[:auth_route]" to allow user to grant the app permission
# This will lead the user to the Shopify Authorization page
head 307
response.set_header("Location", auth_response[:auth_route])
end
endShopifyApp gem's SessionController.
When the user grants permission to the app in Shopify admin, they'll be redirected back to the app's callback route (configured in Step 2 - Add an OAuth callback route).
Use ShopifyAPI::AuthL::Oauth.validate_auth_callback method to finalize the OAuth process.
| Parameter | Type | Notes |
|---|---|---|
cookies |
Hash |
All browser cookies in a hash format with key and value as String |
auth_query |
ShopifyAPI::Auth::Oauth::AuthQuery |
An AuthQuery containing the authorization request information used to validate the request. |
This method returns a hash containing the new session and a cookie to be set in the browser in form of:
{
session: ShopifyAPI::Auth::Session,
cookie: ShopifyAPI::Auth::Oauth::SessionCookie,
}| Key | Type | Notes |
|---|---|---|
session |
ShopifyAPI::Auth::Session |
A session object that contains necessary information to identify the session like shop, access_token, scope, etc. |
cookie |
ShopifyAPI::Auth::Oauth::SessionCookie |
A session cookie to store on the user's browser. |
Your app should call validate_auth_callback to construct the Session object and cookie that will be used later for authenticated API requests.
- Call
validate_auth_callbackto constructSessionandSessionCookie. - Update browser cookies with the new value for the session.
- Store the
Sessionobject to be used later when making authenticated API calls.- See Make a GraphQL API call, or
Make a REST API call for examples on how to use the result
Sessionobject.
- See Make a GraphQL API call, or
Make a REST API call for examples on how to use the result
An example is shown below in a Rails app but these steps could be applied in any framework:
def callback
begin
# Create an AuthQuery object from the request parameters,
# and pass the list of cookies to `validate_auth_callback`
auth_result = ShopifyAPI::Auth::Oauth.validate_auth_callback(
cookies: cookies.to_h,
auth_query: ShopifyAPI::Auth::Oauth::AuthQuery.new(
request.parameters.symbolize_keys.except(:controller, :action)
)
)
# Update cookies with the authorized access token from result
cookies[auth_result[:cookie].name] = {
expires: auth_result[:cookie].expires,
secure: true,
http_only: true,
value: auth_result[:cookie].value
}
# Store the Session object if your app has a DB/file storage for session persistence
# This session object could be retrieved later to make authenticated API requests to Shopify
MyApp::SessionRepository.store_session(auth_result[:session])
puts("OAuth complete! New access token: #{auth_result[:session].access_token}")
head 307
response.set_header("Location", "<some-redirect-url>")
rescue => e
puts(e.message)
head 500
end
endShopifyApp gem's CallbackController.
Once your OAuth flow is complete, and you have stored your Session object from Step 4 - Handle OAuth Callback, you may use that Session object to make authenticated API calls.
Example:
def make_api_request(shop)
# 1. Retrieve the Session object stored from previous step
session = MyApp::SessionRepository.retrieve_session_for_shop(shop)
# 2. Create API client with the session information
# session must be type `ShopifyAPI::Auth::Session`
graphql_client = ShopifyAPI::Clients::Graphql::Admin.new(session: session)
# 3. Use API client to make queries
response = graphql_client.query(query: MY_API_QUERY)
# 4. Use the response for your app
...
endAlternatively, if you don't want to keep having to retrieve a Session object for a shop, you may set ShopifyAPI::Context.active_session.
All of the API client classes will use the active_session if the session passed in is nil.
Example:
#### Configuration
def configure_app
# This method is called before making authenticated API calls
session = retrieve_session_from_file # your implementation of retrieving a session
# Activate session to be used in all API calls
# session must be type `ShopifyAPI::Auth::Session`
ShopifyAPI::Context.activate_session(session)
end
#### Using clients to make authenticated API calls
def make_api_request
# 1. Create API client without session information
# The graphql_client will use `ShopifyAPI::Context.active_session` when making API calls
graphql_client = ShopifyAPI::Clients::Graphql::Admin.new
# 2. Use API client to make queries
...
end