Authentication

Before it can interact with the Shopify API, your app must provide the necessary authentication credentials in each HTTP request that it makes to Shopify. The way to provide these credentials depends on the type of app that you're developing. Shopify supports two different types of apps: public apps and private apps.

Public apps

A public app can interact with the Shopify API on behalf of multiple stores, as long as the app has been granted explicit permission by each merchant who installs it. Public apps can use the Embedded App SDK to be embedded directly inside of the Shopify admin.

You can create a public application from the Apps page in your Partner Dashboard.

Public apps authenticate to Shopify by providing the X-Shopify-Access-Token header field in each HTTP request to the Shopify API. This access token is obtained through an OAuth handshake. To learn more about how OAuth works, see Oauth.

Private apps

Private apps can interact with the Shopify API on behalf of only one particular store. These apps authenticate with Shopify through basic HTTP authentication. The required credentials must be generated from the Shopify admin of the store that you want to connect with your app.

To learn more about how authentication works for private apps, see Private authentication.