Question: How Can an Unpublished Shopify App Be Installed by Unauthorized Stores?
I am currently testing a Shopify app that is not published on the Shopify App Store and is only deployed on a hosting platform (Railway).
My understanding was that during the testing phase, only my development/testing store should be able to install the app. However, I observed that unauthorized stores were able to install it, which was unexpected.
Clarification Needed
How is it possible for external or unknown Shopify stores to install my app when:
-
The app is not listed on the Shopify App Store
-
It is still in the private/testing phase
-
It is only deployed via a backend URL (not publicly promoted)
Observation
It appears that installations may be happening through:
-
Direct OAuth URLs (
/api/auth?shop=...) -
Shopify Partners Dashboard install flow
Question
Is it expected behavior that any Shopify store can initiate installation via OAuth if they have the app URL, even if the app is not published?
If so:
-
What is the recommended way to strictly restrict installation to only specific stores during testing?
-
Are there any built-in Shopify mechanisms for limiting installs, or is this entirely the developer’s responsibility?
Goal
I want to ensure that no unauthorized store can install or access the app until it is officially published.
Any clarification or best practices would be appreciated.