Clarification needed on optional scopes, useGenerateUserToken, and publicId

Shop Minis
1

Hello,

I need clarification on the recent Shop Minis scopes update, because some of the wording is ambiguous and it affects backend implementation.
In the email, you wrote:

Any hook that returns consent-protected data (useGenerateToken, useOrders, etc.) may return null if the user declines

I have a few specific questions:

  1. Did you mean useGenerateUserToken instead of useGenerateToken? I cannot find a hook named useGenerateToken in the docs.
  2. When you say these hooks may return null, what is the exact rule? Do they always return null when the required scope is declined orr can they still return a value in some cases, depending on the hook?
  3. The docs for useGenerateUserToken say:
  • it generates a temporary token for authenticating the current user with the backend
  • it “optionally uses” the openid scope when declared in the manifest
    What does “optionally uses” mean in precise runtime terms?
  1. If openid is present in the manifest but the user declines it:
  • will useGenerateUserToken return null?
    -or will it still return a token, but then userTokenVerify mutation will return publicId: null?

Right now the main uncertainty is where the failure happens. An explanation of the expected flow would help a lot.

Thank you.

2

Hi @Iurii_Teslenko !

Did you mean useGenerateUserToken instead of useGenerateToken? I cannot find a hook named useGenerateToken in the docs.

Yeah looks like there was a typo in our comms, apologies for the confusion.

When you say these hooks may return null, what is the exact rule? Do they always return null when the required scope is declined orr can they still return a value in some cases, depending on the hook?

In the case of useGenerateUserToken, the hook could still return a token. Though, when openid is not granted or not present in the manifest, the server-side verification would return publicId: null

it “optionally uses” the openid scope when declared in the manifest
What does “optionally uses” mean in precise runtime terms?

“Optionally uses” means: declaring openid in the manifest triggers a consent prompt that gives you a chance to get the user’s publicId, but declining never blocks the hook. The hook always works

Hope this adds some clarity