-
Notifications
You must be signed in to change notification settings - Fork 70
Shopify OAuth
OAuth2 is a protocol that lets external apps request authorization to private details in a Shopify store without getting their password. This is preferred over Basic Authentication because tokens can be limited to specific types of data, and can be revoked by users at any time.
All developers need to register their application before getting started. A registered OAuth application is assigned a unique API Key and Secret. The Secret should not be shared.
This is a description of the OAuth flow from 3rd party web sites.
1. Redirect users to request Shopify access
GET https://SHOP_NAME.myshopify.com/admin/oauth/authorize
Parameters
client_id Required string - The API Key you received from Shopify when you registered.
scope string - Comma separated list of scopes.
redirect_uri Optional string - URL in your app where user’s will be sent after authorization. See details below about redirect urls.
2. Shopify redirects back to your site
If the user accepts your request, Shopify redirects back to your site with a temporary code in a code parameter. Exchange this for an access token:
POST https://SHOP_NAME.myshopify.com/admin/oauth/access_token
Parameters
client_id Required string - The API Key you received from Shopify when you registered.
client_secret Required string - The secret you received from GitHub when you registered.
code Required string - The code you received as a response to Step 1.
Response
access_token Required string - OAuth access token.
3. Use the access token to access the API
The access token allows you to make requests to the API on a behalf of a user.
GET https://SHOP_NAME.myshopify.com/admin/products?access_token=...
(The prefered method is to send the access_token in the 'X-Shopify-Access-Token' header)
The redirect_uri parameter is optional. If left out, Shopify will redirect users to the callback URL configured in the OAuth Application settings. If provided, the redirect URL must match the callback URL’s host.
CALLBACK: http://foo.com
GOOD: https://foo.com
GOOD: http://foo.com/bar
BAD: http://bar.com
Scopes let you specify exactly what type of access you need. This will be displayed to the user on the authorize form.
(read|write)_content DB read/write Article, Blog, Comment, Pages, and Redirects resources.
(read|write)_themes DB read/write Asset and Theme resources.
(read|write)_products DB read/write Product, ProductVariant, ProductImages, Collect, CustomCollection, SmartCollection resources.
(read|write)_customers DB read/write Customer and CustomerGroup resources.
(read|write)_orders DB read Order, read/write Transaction and Fulfillment resources.
(read|write)_script_tags DB read/write ScriptTag resources.
(read|write)_shipping DB read/write Shipping resources (coming soon).
requesting any permission will give you read/write access to Shop, Country, Event, ProductSearchEngine and Province resources.
Metafield and Webhook permissions are implied by the other permissions requested. ex. Requesting Product permissions will allow you to register 'product/*' Webhooks.
NOTE: Your application can request the scopes in the initial redirection. You can specify multiple scopes by separating them by a comma.
https://SHOP_NAME.myshopify.com/admin/oauth/authorize?
client_id=...&
scope=write_products,read_content
Credit to Githubs own OAuth docs which these were based on: http://developer.github.com/v3/oauth/