Custom App Install Link Setup

Partner Discussions
1

I have created a custom app from my partner dashboard. This is just for my external express backend. Shopify generated me an install link to use for my store. This link starts the authentication process. The way im thinking this process works is that once the user authenticates, they get redirected to yours app url for installation. Does my express backend need to generate an install link? How does this work? Or should the shopify provded link be enough?

2

Hi Baiterxrs,

The Shopify-provided install link is sufficient to start the authentication and installation process for your custom app. Here’s how it works:

  1. Install Link and Authentication: The install link provided by Shopify includes parameters like the shop’s domain and a signature (HMAC) to ensure the request’s authenticity. When a merchant clicks this link, they are redirected to Shopify’s OAuth flow, where they can approve the app’s requested permissions.
  2. Redirect to Your App: After the merchant approves the app, Shopify redirects them to the App URL you specified in your app’s configuration. This redirect includes an authorization code and other parameters that your app can use to request an access token.
  3. Access Token Exchange: Your backend (Express in this case) needs to handle this redirect, verify the request’s authenticity (using the HMAC parameter), and exchange the authorization code for an access token. This token is then used to make authenticated requests to Shopify APIs.
  4. No Need to Generate a New Install Link: Since Shopify generates the install link for you, your backend does not need to create a new one. The provided link is sufficient for merchants to install the app and initiate the OAuth process.
3

Hi Liam,

Just need some clarification. My current process is this:

  1. Created App for my partner account via shopify-cli.
  2. Used Install link to install the app and start the authorization process.
  3. My App Url points to my express backend in aws. When logging the req.query this is what I get:

{
embedded: ‘1’,
hmac:“some value”,
host: ‘some value’,
id_token: “some value”,
locale: ‘en’,
session: ‘some value’,
shop: ‘example.myshopify.com’,
timestamp: ‘1741667449’
}

As you can see I have the HMAC, but no Authorization code. From what you’re saying, once the user authorized from the install link I should receive Auth code, right?

Thank you for your help with this.