We are passing analytics data from our Shopify web pixel to our server. However, unlike other app extensions, web pixel events do not provide a session token or any direct authentication parameter from Shopify. Because of this, we currently have no built-in way to authenticate incoming requests on our server.
We are trying to use an authentication token configured via the web pixel settings in the toml file to secure these requests. Is this considered best practice, or is there a recommended way to authenticate or validate these web pixel events from Shopify?
Hey @harsh.patel . Hopefully I’m understanding correctly, but are you looking at creating a custom authentication token configured via your web pixel settings in the TOML file (as mentioned here)? If so, I’d say that’s definitely a supported workaround.
Unlike our webhooks for example, which are server-to-server and can use HMAC validation, web pixels run client-side in the browser, so we don’t currently provide a built-in authentication mechanism like session tokens or signed requests. Your setup with a unique token per merchant (accessed via the settings property in your pixel) combined with server-side validation on your end of things should work though. Do you have any specific concerns about your use case or additional security requirements you’re trying to meet? Just wanted to make sure I was understanding things correctly here - hope to hear from you soon and hope this helps!
. Hopefully I’m understanding correctly, but are you looking at creating a custom authentication token configured via your web pixel settings in the TOML file (