Customer authentication and role-based access with Shopify native login

GraphQL Admin API Troubleshooting
1

Hi everyone! I have a Shopify store and I am working on some custom features that integrate with my own backend.

I currently have a form on my website, and the form responses are stored in my own backend. I would like to create a page in the store where the logged-in customer can see only their own submitted responses.

In a traditional system, this would usually be handled using a login flow with JWT. However, in my case, I am using Shopify’s native customer login, which is based on sending a login code via email.

Because authentication is fully handled by Shopify, I have a few doubts:

Since the login is managed by Shopify, I assume I do not have access to a JWT for the logged-in customer, correct?

I found that Shopify provides a customerAccessToken, which could be used to validate the customer. However, since I am not the one calling Shopify’s authentication API during login, I believe I cannot access this token. Is that correct?

Given this scenario, what would be the recommended way to securely identify the currently logged-in customer and ensure that they are the rightful owner of the data stored in my backend?

Additionally, I would like to support a type of user with higher privileges (for example, access to additional pages or extra data). In a traditional setup, this would be handled using a JWT containing the user ID and claims such as roles or permissions. Since customer authentication is handled natively by Shopify, what would be the recommended alternative to implement role-based access control in this case?

Any guidance or best practices would be greatly appreciated. Thank you!

@Liam-Shopify, can you help me with this?

1 Like
2

Hey @Andrei_Rodrigues,

I would suggest starting with our guides on Customer accounts: Building apps for customer accounts

Building with customer accounts you’ll use the customer account API as well as customer accounts extensions for displaying specific customer details.

I also want to note that tagging staff directly is discouraged (so you know for next time) FAQ - Shopify Developer Community Forums

Do not tag individuals unless they have previously engaged with the topic, and do not tag groups .

3

Hi @KyleG-Shopify, thanks for the guidance.

First, I sincerely apologize for tagging Liam directly. I wasn’t aware that tagging staff members unless they are already participating in the thread is discouraged here. It won’t happen again.

Regarding your suggestion to build a “Customer Account UI Extension”, I have a few clarifying questions to ensure I take the right path:

  1. Is this the only way? My goal is simply to display some external data (form responses) to the logged-in user. Do I strictly need to build a Custom App and UI Extension for this, or is there a simpler, recommended way to achieve this using standard theme code (Liquid)?

  2. Shopify Plus: Does building these Customer Account UI Extensions require a Shopify Plus plan?

  3. Security: If I proceed with the Extension, how do I secure the request to my backend? Does the API provide a signed ID Token (JWT) that I can validate on my server to ensure the request is legitimate and coming from the correct customer_id?

Thanks again for your help!

4

Hey @Andrei_Rodrigues1,

Customer Account UI Extensions aren’t the only way, but they’re the recommended approach for securely displaying customer-specific external data. Liquid also has a customer object that exposes some info for logged-in customers.

Customer account Extensions don’t require Shopify Plus. Some B2B-specific targets on the Profile page are Plus-only, but the core extension targets work on all plans.

For securing requests to your backend, the Session Token API is available. There’s a helpful community thread here that walks through manual session token validation in Ruby that shows the practical implementation.

You can find the full token structure and claims in the Session Token API documentation.