There appear to be some permissions issues that are limiting the ability for agency partners to create custom apps for their clients. It seems that the new tools have been designed with the intention that a custom app and store should belong to the same org. However, collaborators can’t access the Dev Dashboard of clients because they don’t have organizational-level permissions (docs). Partners still have the "App Distribution” system in their app’s dashboard settings, but building a custom app that way seems to have an increasing number of limitations.
UNless I’m missing something, this makes administering a custom app cumbersome - either the developers need to be added as staff, or the client needs to administer the dev dashboard themselves, neither of which is optimal.
Examples:
- With the client credentials grant flow to generate access tokens, both the app and the store must belong to the same org.
- Using the new
shopify app execute / shopify app bulk execute commands also seems to require the app and the store belong to the same org.
Going forward, what is the recommended procedure for developing custom apps for clients so that all the new tools can be leveraged?
1 Like
Hey @Nic_Oliver,
The client credentials grant flow is specifically for apps where the app and store are in the same organization, i.e. a merchant creating and using a custom app on their own store. That flow isn’t available for partner-distributed apps.
For the agency/partner workflow, the path hasn’t changed. You create the app in your own Dev Dashboard, select Custom distribution, and send the merchant an install link. If you’re using the Shopify CLI app template, Shopify managed installation is already set up for you, so auth and scope updates are handled automatically on deploy. For non-embedded apps, you’d use the authorization code grant instead of client credentials.
For shopify app execute / shopify app bulk execute, those are development tools that work against stores where your app is installed. You can read more about their usage limitations and use cases here.
Hi @KyleG-Shopify Thanks for the response here.
To clarify, there are situations where using an embedded CLI app created from a template are not feasible. For example, legacy systems and 3rd party integrations. For these cases, the guidance from Shopify seems to be to use client credentials grant; however, it’s not practical due to the permissions issues outlined above. Custom distribution works for a new app created from the template, but this doesn’t account for all use cases.
For shopify app execute / shopify app bulk execute, this actually appears to be the same client credentials issue based on the link you shared - thanks for that. We had a use case yesterday, where we have a custom extension-only app installed on a shop that we have collaborator access to. It has 5 extensions of relatively high complexity and is critical for checkout and fulfilment operations. We needed to run a bulk export against ~20,000 products to find any products that had a specific variant metafield missing, as our extension app relies on that field. This would have been really easy to do with shopify app execute, (and nice Dx!) but when we tried, we got the org permissions error.
I suppose this thread could be a feature request for a system where merchants can grant permission to collaborators / partners to use client credentials?
Hey @Nic_Oliver, I can see how shopify app execute would be useful for extension-only apps where you don’t have a backend to run queries through. That said, mutations via shopify app execute are limited to dev stores regardless of permissions, so even without the org restriction it wouldn’t have worked on your client’s production store.
For that bulk export, the Bulk Operations API is the way to go. Your app is already installed on the store via custom distribution, so you have an access token from the OAuth flow that you can use to call bulkOperationRunQuery directly.
On partner/collaborator access to client credentials, I’ll pass along the use case of extension-only apps needing to run one-off queries against client stores. As always, the developer changelog is where any movement on that would appear.
1 Like