Best Practice for App URL During Shopify Review: Frontend vs Backend OAuth Flow

Partner Discussions
1

Hi everyone,

I’m submitting my app for review and need clarification on the correct setup for the app URL, especially regarding OAuth behavior.

Here’s the structure of my app:

  • Frontend: Built with React; used by merchants to interact with features like editing product details.
  • Backend: Built with Flask; handles the OAuth flow and issues the access token.

Initially, I set the app URL in the Partner Dashboard to the backend endpoint that accepts the store ID and starts the OAuth process. This works well for authentication. But during review, Shopify tries to load the app URL in a browser, which doesn’t serve a UI—causing review failure.

So I updated the app URL to the frontend, which loads the merchant UI. It has logic to redirect to the backend OAuth if the merchant isn’t authenticated. However, I received this feedback:

“Your app must immediately authenticate using OAuth before any other steps occur. Merchants should not be able to interact with the user interface (UI) before OAuth.”

My questions are:

  1. What should the app URL point to during review?
  • The backend OAuth endpoint directly?
  • Or the frontend (as long as it immediately redirects to OAuth before showing any UI)?
  1. What’s the Shopify-recommended pattern in a React (frontend) + Flask (backend) architecture?

Appreciate any help or examples from others who’ve successfully passed review in a similar setup!

Thanks in advance.

2

asked here: https://shopify.slack.com/archives/C8ELWC8KZ/p1750148738596969

3

Hi @Arun_Sadan

Great to hear you’re in the process of submitting your app to the our app store. Given your configuration, I believe the best option is to set the app URL to the backend endpoint that handles the OAuth initiation - but I’m doublechecking to make sure I’m correct.

4

Hi again @Arun_Sadan

This is the recommendation from the app review team:

For the app review process, the app URL should point to a location that initiates the OAuth flow immediately upon installation. This means that the app should redirect users to Shopify’s OAuth authorization page right after they click the install button, without displaying any user interface beforehand.

In a React (frontend) + Flask (backend) architecture, the recommended pattern is to set the app URL to the backend endpoint that handles the OAuth initiation. This ensures that the OAuth flow is triggered immediately, complying with Shopify’s requirement that merchants should not interact with the UI before OAuth authentication is completed.