Authenticating non-shopify webhooks

Authentication & Access
1

I’m building a Shopify app using the Shopify CLI and Partner Dashboard. My app’s goal is to receive a webhook from a third-party service (Klaviyo in this case), parse the payload, and then use the Shopify Admin API to query and update customer records.

I’ve successfully received the third-party webhook, but I’m stuck on how to authenticate the connection to Shopify’s Admin API. I initially tried using shopify.authenticate.admin(request), but this doesn’t work because the request isn’t coming from Shopify.

How can I manually authenticate the Admin API in this scenario? I assume I need to initialize the Admin API client with an access token and shop domain, but I’m unclear on how to set this up within the Shopify app structure, when I install the app on my dev store there is no access token shown, it goes straight to the apps frontend.

Here are a few additional details:

  • I’ve created the app via Shopify CLI (using the Remix template).
  • I’ve set up my app with the read_customers and write_customers scopes.
  • I have tried the OAuth flow thing but never given a access token to use.

Am I even doing the right thing or should I using the ‘extension-only’ app or create it from scratch?

Any guidance would be greatly appreciated.

1 Like
2

Hi there!

Are you building a public or a custom app?

If you’re creating a custom app, you can build it directly in the Shopify Admin. After that, you can utilize the access token generated for this custom app to interact with the Shopify Admin API.

On the other hand, if you’re developing a public app, you’ll need to generate the access token through the authentication flow and the token exchange flow.

3

I think I actually want a custom app, but can they receive external webhooks?

4

Did you solve the problem?

5

In the end I just created an app hosted on a cloud-server, and created a private app on my shopify store to get the access token to use in the app.
I couldn’t figure out how to access the token the CLI build apps used.

6

It kind of depends on your database of choice.

You’ll need to retrieve the corresponding merchant’s myshopify.com domain and the corresponding access token.

Then you can either use your HTTP client of choice to send authenticated requests, or you can use to the @shopify/admin-api-client library and pass the merchant’s details to create a GraphQL client:


const merchant = yourDb.findByDomain("example.myshopify.com")

const client = createAdminApiClient({
      storeDomain: merchant.domain,
      apiVersion: "2024-10",
      accessToken: merchant.accessToken,
    })
7

Yeah the issue I was finding is getting the access token when the app was created in the Shopify Partner dashboard/Shopify CLI. It was all handled and seemingly inaccessible buy non-shopify requests.

8

If you’re using the Shopify Remix template, it will automatically find the current merchant’s access token via the session. But the session needs the context of the merchant either from an embedded session token or from the Shopify webhook headers.

But yes, to make authenticated requests on behalf of merchants outside of those events, you’ll need to look it up manually and set up your GraphQL client.