I’m submitting my first app for App Store review, and the automated “Embedded app checks” have been stuck in pending state for over 24 hours. Hoping a Shopify staff member can help manually verify.
Stuck checks:
Using the latest App Bridge script loaded from Shopify’s CDN
Using session tokens for user authentication
All other automated checks are passing.
What I’ve verified is working correctly:
App Bridge script (https://cdn.shopify.com/shopifycloud/app-bridge.js) loads from Shopify’s CDN — confirmed in Network tab
<meta name="shopify-api-key"> tag and App Bridge <script> tag both present in the rendered DOM (confirmed via Elements panel)
Session tokens are firing — Authorization: Bearer headers present on fetch requests to my backend
AppProvider from @shopify/shopify-app-remix/react is correctly set up in app/routes/app.tsx
Tested in incognito Chrome with all extensions disabled, 5+ minutes of active multi-page interaction on the dev store
App installs and runs correctly inside the Shopify admin iframe
I already chatted with a Partner Support advisor, but they weren’t able to diagnose why the telemetry checks aren’t completing. Similar issues in this forum (this thread and this one) have been resolved by Shopify staff manually unblocking the checks after verification.
Happy to provide any additional info or collaborator access to the dev store if that helps.
Thanks for the detailed write-up here, and sorry you’ve been stuck on this one for over 24 hours, this isn’t ideal.
One pattern we’ve seen lately (and that tripped up another dev recently over in this thread) is our automated checker getting blocked by bot protection at the hosting/CDN layer, think Cloudflare, Vercel, or similar services with automated challenge pages turned on. Even if the app loads perfectly in your own browser, the checker’s requests can get silently intercepted before they reach your app, which leaves the checks stuck in pending indefinitely. If you’re behind anything like that, could you try temporarily setting the security level down (or allowlisting requests to your App URL) and see if that gets things moving? On that same note, if you can run curl -sI https://your-app-url against the exact URL you have configured as your App URL in the Partners dashboard and share the headers and a snippet of the body, that’d help us narrow down what the checker is actually seeing when it hits your app.
If none of that pans out, happy to DM so we can dig in a bit further on our end, including taking you up on that collaborator access offer if needed. Let me know what you find!
here is the response to > curl -sI {app-url}
HTTP/2 200
content-type: text/html; charset=utf-8
date: Sun, 19 Apr 2026 05:33:10 GMT
server: railway-edge
vary: Accept-Encoding
x-railway-edge: railway/us-west2
x-railway-request-id: {ID}
x-cache: MISS
x-cache-hits: 0
x-railway-cdn-edge: fastly/cache-pao-kpao1770080-PAO
x-served-by: cache-pao-kpao1770080-PAO
And here’s > curl -s {app-url} | head -c 2000
<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="shopify-api-key" content="{APIKEY}"/><script src="https://cdn.shopify.com/shopifycloud/app-bridge.js"></script><link rel="preconnect" href="https://cdn.shopify.com/"/><link rel="stylesheet" href="https://cdn.shopify.com/static/fonts/inter/v4/styles.css"/><link rel="stylesheet" href="/assets/route-Xpdx9QZl.css"/></head><body><div class="_index_12o3y_1"><div class="_content_12o3y_22"><h1 class="_heading_12o3y_11">A short heading about [your app]</h1><p class="_text_12o3y_12">A tagline about [your app] that describes your value proposition.</p><form method="post" action="/auth/login" class="_form_12o3y_27" data-discover="true"><label class="_label_12o3y_35"><span>Shop domain</span><input class="_input_12o3y_43" type="text" name="shop"/><span>e.g: my-shop-domain.myshopify.com</span></label><button class="_button_12o3y_47" type="submit">Log in</button></form><ul class="_list_12o3y_51"><li><strong>Product feature</strong>. Some detail about your feature and its benefit to your customer.</li><li><strong>Product feature</strong>. Some detail about your feature and its benefit to your customer.</li><li><strong>Product feature</strong>. Some detail about your feature and its benefit to your customer.</li></ul></div></div><script>((storageKey2, restoreKey) => {
if (!window.history.state || !window.history.state.key) {
let key = Math.random().toString(32).slice(2);
window.history.replaceState({ key }, "");
}
try {
let positions = JSON.parse(sessionStorage.getItem(storageKey2) || "{}");
let storedY = positions[restoreKey || window.history.state.key];
if (typeof storedY === "number") {
window.scrollTo(0, storedY);
}
} catch (error) {
console.error(error);
sessionStorage.removeItem(storageKey2);
}
})(“react-router-scroll-positions”, null)</scr
On a side note I did add a HOST=0.0.0.0 to my start script because it seemed my app was bound to a container interface. This may not be the problem but thought it was worth noting.
Hope this is helpful or at least eliminates some of the checks.
Hey @codehacker_drew, thanks for the detailed follow-up here, sorry for the delay on my response, just catching up on threads here.
Based on what you shared, I don’t think Railway or the CDN layer is the issue. The response is returning 200, the App Bridge script tag and api-key meta are both present, and the Fastly header in there is just Railway’s own edge, so it doesn’t seem like a bot challenge layer. So we can probably rule that out. The HOST=0.0.0.0 change is also fine, that’s just binding to all
interfaces inside the container I believe, and shouldn’t cause any issue with the checker.
One quick thing to check before we dig in further on our end. The page you curled is the unauthenticated landing page, which correctly serves App Bridge. The embedded checks are telemetry-based though, so they fire when App Bridge is actually initialized inside the admin iframe under a real shop session.
Could you confirm if App Bridge is up on the authenticated side too? If you install the app on your dev store, open it from the admin, and in the browser devtools console run window.shopify and let me know what comes back that may help.
If App Bridge initialized correctly you should see an object with methods on it. If it’s undefined, that would point at something on the AppProvider setup on the authenticated
routes.
If that all looks good, happy to move this to DMs and take you up on the collaborator access offer so we can dig in further on our end.
This^ looks to be what you were expecting, an object with methods. Let me know if you have any other tips or if we need to move to DMs, happy to carry the conversation.
Hey @codehacker_drew - no worries on the delay. Since everything seems to be firing correctly and the checks are still stuck, I think I’ll need to take a closer look on our end. DMing you now!