We're constantly trying to improve your support experience, and your feedback is extremely valuable to us.

Please take a moment to tell us about your experience today.
Sign up for future Help Center user research studies.

Getting and storing the shop origin

To keep your embedded apps secure, you are required to lock all communications to the shop origin. The shop origin is the hostname for the current shop, which consists of the shop name followed by myshopify.com. The shop origin for the current session is contained in the shop URL query parameter that’s appended to your application URL when your app is loaded inside the Shopify admin.

Several libraries require the shop origin, including Shopify App Bridge, Polaris, and the EASDK. It’s a good idea to retrieve it and then store it for the duration of the session.

Getting and storing the shop origin

The process of getting and storing the shop origin is different depending on the library that you’re using for your app.

koa-shopify-auth

If you’re using koa-shopify-auth, then the shop parameter is automatically parsed from the authentication URL and stored in the context session under the shop key (for example, ctx.session.shop).

shopify_app gem

If you’re using the shopify_app gem, then the shop parameter is automatically parsed from the authentication URL and stored in the session under the :shopify_domain key (for example, session[:shopify_domain]).

Getting and storing the shop origin manually

If you’re unable to use any of the Shopify-provided libraries listed above, then you need to parse the shop parameter out of the authentication URL and store it for later use.

To get the shop parameter, parse it out of the confirmation redirect URL during the installation confirmation step of the authorization process.

After you’ve got the shop parameter, you need to store it for the duration of the user session. It’s best to use the session mechanism of your preferred framework. Otherwise, you can store the parameter in an HTTP-only cookie.

Verification

Each embedded application URL includes an hmac query parameter that can be used to authenticate the request from Shopify.

To learn more about this process, see the documentation about verifying requests from Shopify.

Sign up for a Partner account to get started.

Sign up