How to authenticate request with session tokens manually?

prakhar · November 20, 2024, 4:40pm

Hey Remy!

Session token is not an HMAC but a JWT. You would need to decode the JWT.

We use python (Django) to decode it but I took some help from AI and got this code for ROR.

def verify_session_token
  session_token = request.headers['Authorization']
  
  begin
    payload = JWT.decode(
      session_token,
      Rails.configuration.shopify_api_secret,
      true,
      {
        algorithms: ['HS256'],
        aud: Rails.configuration.shopify_api_key,
        leeway: 10
      }
    ).first
    
    shop = URI.parse(payload['dest']).host
  rescue JWT::DecodeError => e
    puts "Invalid Token"
  end
end

Let me know if this helps.

Topic		Replies	Views
How to authentication session token API request came from customer account UI extension? Extensions customer-account-ext	2	26	March 24, 2025
Token exchange returns invalid_subject_token Extensions customer-account-ext	13	56	March 3, 2025
Stuck at "Not authenticating with session tokens" Shopify CLI and Libraries remix	1	37	March 31, 2025
"Not authenticating with session tokens" even though session token authentication is set up Authentication & Access oauth	10	247	March 6, 2025
Session -> Access Token exchange with managed install query params Authentication & Access oauth	3	125	November 18, 2024

How to authenticate request with session tokens manually?

Related topics