Automated install review - managed install required for new embedded apps?

Authentication & Access
1

During the automated app store review, my app is failing the check:
“Immediately authenticates after install”

The app is embedded and install works fine on my dev stores. When installing manually, the request flow starts by hitting my app root, then i do an automated redirect to the oauth url with scopes param, etc.

Looking at the expected URL, it seems like it wants me to use the managed installation flow. During the automated test, no requests are issued to my server which also supports this theory.

Is it mandatory to use managed install for embedded apps now? Obviously, I’d rather continue using the auth flow that I have working rather than retooling for managed install.

Expected URL: https://admin.shopify.com/store/xbbf0y-vp/app/grant

Actual URL: https://MY_APP_DOMAIN/?hmac=d8cb08a4c0d06448829e3e3432f8cb63851d26c1e7bda703f058a3dbdaf4d11f&host=YWRtaW4uc2hvcGlmeS5jb20vc3RvcmUveGJiZjB5LXZw&shop=xbbf0y-vp.myshopify.com&timestamp=1750173698

1 Like
2

Hey @Coop,

Thanks for sharing that. You shouldn’t have to use managed installations. Have you double checked that your app is using the redirect as described here? Implement authorization code grant manually

To run a test similar to the automated check, when you install your app using the install link in the partner dashboard, does it redirect to oauth as expected?

3

Thanks for taking a look.

If I install through the link in the partner dashboard to a dev store everything works as expected.

I have a feeling this may be a subtle issue with shopify.app.toml. My config included this:

[access_scopes]
scopes = "read_products,write_products,read_orders,read_all_orders"
use_legacy_install_flow = true

Is it possible having scopes set here overrides use_legacy_install_flow for the automated suite?

I’ve now tried removing scopes and running shopify app deploy but the checks have been seemingly stuck and running all day. Is there a way to reset these?

Screenshot 2025-06-18 at 5.48.31 PM
Screenshot 2025-06-18 at 5.48.31 PM938×233 23.1 KB

@KyleG-Shopify

4

Thanks Coop,

I’ll send you a DM here to get some of your app details and see what I can find regarding that check.

I am curious though why you’ve chosen to use a legacy authentication flow? I know you mentioned you would rather not refactor, however implementing this before you have merchants using your app can save you a lot of headaches down the road. For example, if you ever need to change or request new access scopes (which is quite common) you would need to manually request this from each merchant. Whereas if you used managed installations all you need to do is deploy a new version.

5

I appreciate the help Kyle.

You make a good point - at this point I am migrating to managed installation. I thought it would be worth documenting this here in case someone else runs into the same issue.