Embedded app checks stuck in pending for 48+ hours - Railway + Fastly CDN

My app’s embedded app checks (“Using the latest App Bridge script” and
“Using session tokens for user authentication”) have been stuck in pending
for 48+ hours despite verifying everything.

App details:

• Hosting: Railway (uses Fastly CDN edge)
• App URL: https://getvelify-production.up.railway.app
• Partner app ID: fca934f891a02b8f390be483b8155a21

What I’ve verified:

• curl returns HTTP 200 with no bot protection
• HTML contains <meta name="shopify-api-key"> before the CDN script
• CDN script: https://cdn.shopify.com/shopifycloud/app-bridge.js
• All API requests include Authorization: Bearer <session_token>
• Backend verifies JWT with HS256 + aud claim + exp + nbf
• CSP header set: frame-ancestors https://*.myshopify.com https://admin.shopify.com
• Tested in fresh incognito Chrome (no extensions), navigated all pages

Can someone from Shopify manually trigger or investigate the check?

Hi @Shashank_Thigale

Did you use any official Shopify templates?

Hi,

We recently encountered a similar issue on our end, and we were able to resolve it by ensuring that the Shopify App Bridge is loaded only via the latest CDN script.

We recommend that you:

• Load the App Bridge exclusively from the official CDN: https://cdn.shopify.com/shopifycloud/app-bridge.js

• Avoid mixing local or outdated versions of the script

• Ensure it is initialized correctly after the <meta name="shopify-api-key"> tag

From our experience, once the implementation strictly follows the correct approach (especially proper App Bridge loading and valid session token handling), these embedded app checks typically pass automatically without requiring any manual intervention.

If everything is configured correctly on your side, it should just be a matter of time before the checks update.

Hope this helps!

Thank you for the response!

Quick update for anyone who finds this thread: the checks eventually passed on their own.

What we had in place that worked:

• App Bridge loaded exclusively from the CDN: https://cdn.shopify.com/shopifycloud/app-bridge.js
• tag placed before the script
• Session token authentication on all backend routes

Shopify support suggested testing on a fresh browser without extensions, but the checks cleared before we even had a chance to do that. So it seems like it just needed some extra time
after the correct implementation was in place.

Hope this helps others in the same situation!