OAuth overview

OAuth 2.0 is the industry-standard protocol for authorizing or giving permissions to apps. This differs from authentication, which is the process of verifying the identity of the user or the app. The following video illustrates how OAuth works in Shopify:

Shopify uses OAuth 2.0’sauthorization code grant flowto issue access tokens on behalf of users. The OAuth flow is used so that users can authorize Shopify apps to access data in a store. For example, an app might be authorized to access orders and product data in a store.

The following diagram illustrates the OAuth flow based on the actions of the user, your app, and Shopify:

1. The user makes a request to install the app.

2. The app redirects to Shopify to load the OAuth grant screen and requests the user to authorize the required scopes. Note that for apps that have requested API access scopes viaTOMLfile, the OAuth grant screen may appear before the app redirects to Shopify.

3. The user authorizes the app by consenting to the requested scopes.

4. The app receives an authorization grant. This is a temporary credential representing the authorization.

5. The app requests an access token by authenticating with Shopify and presenting the authorization grant.

6. Shopify authenticates the app, validates the authorization grant, and then issues and returns an access token. The app can now request data from Shopify.

7. The app uses the access token to make requests to the Shopify API.

8. Shopify validates the access token and returns the requested data.

Shopify提供多种资源来帮助you to authorize your app with OAuth. The resource you use depends on whether you're creating a new app, and the language and structure of your app.

• If you're creating a new app, then Shopify recommends usingShopify CLIto create your app using anapp template. Each app template includes code for an embedded app that usesOAuthandsession tokens.

• If you're implementing OAuth for an existing app, or don't want to use an app template, then consider using aShopify Admin API library. These libraries provide methods for authenticating with OAuth, and are used by Shopify app templates.

  You can also implement OAuth without a library. However, using a library makes your implementation faster and your app more secure.

If you're creating a new app, then you don't need to do anything else to get started with OAuth.

If you're using a library or implementing OAuth yourself, then refer toGetting started with OAuthfor more information.

因为OAuth是第一个交互,用户have with your app UI, you should make sure that it's a positive experience. Refer to ourOAuth performance best practicesto learn how to make your app authorization process smoother, faster, and more polished.

If you already implemented OAuth in your app, then consider updating your implementation to follow these best practices. For more information, refer toUpdate your embedded app OAuth flow.