Skip to content

Shopify OAuth

Jump to bottom Edit New page
jduff edited this page Feb 14, 2012 · 1 revision

OAuth2 is a protocol that lets external apps request authorization to private details in a Shopify store without getting their password. This is preferred over Basic Authentication because tokens can be limited to specific types of data, and can be revoked by users at any time.

All developers need to register their application before getting started. A registered OAuth application is assigned a unique API Key and Secret. The Secret should not be shared.

Web Application Flow

This is a description of the OAuth flow from 3rd party web sites.

1. Redirect users to request Shopify access

GET https://SHOP_NAME.myshopify.com/admin/oauth/authorize

Parameters

client_id Required string - The API Key you received from Shopify when you registered.

scope string - Comma separated list of scopes.

redirect_uri Optional string - URL in your app where user’s will be sent after authorization. See details below about redirect urls.

2. Shopify redirects back to your site

If the user accepts your request, Shopify redirects back to your site with a temporary code in a code parameter. Exchange this for an access token:

POST https://SHOP_NAME.myshopify.com/admin/oauth/access_token

Parameters

client_id Required string - The API Key you received from Shopify when you registered.

client_secret Required string - The secret you received from GitHub when you registered.

code Required string - The code you received as a response to Step 1.

Response

access_token Required string - OAuth access token.

3. Use the access token to access the API

The access token allows you to make requests to the API on a behalf of a user.

GET https://SHOP_NAME.myshopify.com/admin/products?access_token=...

(The prefered method is to send the access_token in the 'X-Shopify-Access-Token' header)

Redirect URLs

The redirect_uri parameter is optional. If left out, Shopify will redirect users to the callback URL configured in the OAuth Application settings. If provided, the redirect URL must match the callback URL’s host.

CALLBACK: http://foo.com

GOOD: https://foo.com

GOOD: http://foo.com/bar

BAD: http://bar.com

Scopes

Scopes let you specify exactly what type of access you need. This will be displayed to the user on the authorize form.

(read|write)_content DB read/write Article, Blog, Comment, Pages, and Redirects resources.

(read|write)_themes DB read/write Asset and Theme resources.

(read|write)_products DB read/write Product, ProductVariant, ProductImages, Collect, CustomCollection, SmartCollection resources.

(read|write)_customers DB read/write Customer and CustomerGroup resources.

(read|write)_orders DB read Order, read/write Transaction and Fulfillment resources.

(read|write)_script_tags DB read/write ScriptTag resources.

(read|write)_shipping DB read/write Shipping resources (coming soon).

requesting any permission will give you read/write access to Shop, Country, Event, ProductSearchEngine and Province resources.

Metafield and Webhook permissions are implied by the other permissions requested. ex. Requesting Product permissions will allow you to register 'product/*' Webhooks.

NOTE: Your application can request the scopes in the initial redirection. You can specify multiple scopes by separating them by a comma.

https://SHOP_NAME.myshopify.com/admin/oauth/authorize?
  client_id=...&
  scope=write_products,read_content

Credit to Githubs own OAuth docs which these were based on: http://developer.github.com/v3/oauth/

Add a custom footer
Add a custom sidebar
Clone this wiki locally