Migrating Legacy to OAuth

Currently Shopify uses OAuth 2.0 as the authentication standard for Shopify applications, but some Shopify applications are still using our legacy authentication system. It is important that developers update their applications to use OAuth, as our legacy authentication system will be deprecated and become unusable on May 7th, 2017.

OAuth authentication uses a token generated from your app's pre-existing legacy authentication. The algorithm is a simple MD5 of the sum of the application_secret + user_legacy_token. In Ruby, the code would be like this:

Digest::MD5.hexdigest(app_secret + merchant_current_legacy_token)

In PHP, the code would be like this:

<figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="nb">md5</span><span class="p">(</span><span class="nv">$app_secret</span> <span class="o">.</span> <span class="nv">$merchant_current_legacy_token</span><span class="p">)</span></code></pre></figure>

The returned result will be the OAuth token. You can now perform an authenticated API request to the merchant's shop by providing the generated token in the X-Shopify-Access-Token header.

We strongly suggest that the transition occurs in small steps:

  1. Create a new column in the database as oauth_token (or any other name) and apply the digest algorithm for each merchant. Test to see if the calculation was successful.
  2. Locally, update your app's code to use OAuth (this means updating the library of whatever your app needs) and make it use the new column (oauth_token) as the api_token.
  3. Push the new version of your app and change the app to use OAuth in the Shopify app panel at the same time.
  4. Delete the old column storing the old legacy token.

Your merchants should not notice anything but there might be a few seconds of downtime while the transition to OAuth occurs.

Keep in mind that transitioning to OAuth will grant these permissions to your app:

  • write_content
  • write_themes
  • write_products
  • write_customers
  • write_orders
  • write_script_tags
  • write_shipping

You can request an access scope that isn't listed above, but Shopify will prompt the merchant to re-authorize the app. This is a similar process to installing a new app.

Sign up for a Partner account to get started.

Sign up