App install / connect flow — merchant pastes store URL → OAuth → fetch orders & create labels — is this correct?

Shopify App Store
1

Hi — I’m building a public Shopify app (MezzexCarrierService) that lets merchants connect their stores so my system can fetch orders and create shipping labels automatically.

Proposed flow:

  1. Merchant enters their store domain ({shop}.myshopify.com) in my app dashboard.

  2. App redirects merchant to the Shopify OAuth URL:

https://{shop}.myshopify.com/admin/oauth/authorize
?client_id={MY_API_KEY}
&scope=read_orders,write_orders,read_fulfillments,write_fulfillments,read_customers,read_inventory
&redirect_uri=https://myapp.example.com/api/shopify/auth/callback
&state={nonce}

  1. Merchant approves permissions. Shopify redirects to my callback with code, hmac, shop, state.

  2. Backend verifies HMAC, exchanges code for an access_token via POST https://{shop}/admin/oauth/access_token.

  3. I persist the token (secure DB), then call Admin API to fetch orders and create shipping labels via our carrier integration.

  4. After label creation, app updates fulfilment and tracking via the Admin API and uses webhooks to handle uninstalls/orders/fulfilment updates.

Questions / concerns:

  • Is this the correct and standard approach for letting merchants “paste their store URL” and connect via OAuth? Or should I ask them to install via a generated install link instead?

  • Which scopes are essential for a shipping/fulfilment app? I plan to request read_orders, write_orders, read_fulfillments, write_fulfillments, read_customers, read_inventory. Should I also request read_all_orders or is read_orders enough for typical fulfilment workflows?

  • Any compliance/security checks I’m missing (HMAC verification, storing tokens, encryption at rest, webhooks for uninstall, Protected customer data form)?

  • I saw the “turn your app into a sales channel” option — I don’t want that. Is there any reason a fulfilment app would need that toggled?

  • Best practices for storing the access token and mapping it to the shop? (I plan encrypted DB fields + key rotation.)

TL;DR: Merchant pastes store URL → OAuth install → token → Admin API to read orders and create labels. Is this the right approach and what pitfalls should I watch for?

Thanks in advance for any pointers.

2

What you’re describing is an external OAuth flow.

You have to manage the OAuth handshake yourself, and implement your own session authentication after the merchant is OAuth’d from Shopify.

You didn’t mention how you planned on distributing your app. From your description, it sounds like you already have this service outside of Shopify for other eCommerce platforms potentially.

Are you counting on listing on the Shopify App Store as an installable app?

Or, are you planning on distributing as a custom Shopify App, and not publish publicly?

Because the latter means you can simply give instructions to show merchants how to create a custom app, and they can provide their access tokens to you directly, without having to implement OAuth at all.