First, some context:
My company has an application listed on the Shopify app store.
We use app-managed webhook subscriptions, configured in our app’s TOML file.
For our customers, we direct them to install our Shopify app from our web application as part of the standard OAuth flow. The result of this gives us a shop-specific access token for each shop that authorizes our application.
We receive webhooks for these shops as expected, no problems there.
The problem:
However, it seems at least one shop (maybe more) has installed our Shopify application from the app listing directly, out of band from our application. This Shopify Shop is not a customer of ours, we do not know who they are.
It appears that because they installed our Shopify app, we are now subscribed to webhooks from that shop, just like any other shop that installs our application. But, since they installed out of band, we don’t have an access token for their shop, which means we can’t unsubscribe from webhooks for that shop (AFAICT).
We receive a fair amount of webhook traffic from this shop, which is meaningless for us, since they are not, nor ever were, our customer.
So the question is: is there a way for us to unsubscribe from webhooks for this particular shop? Or perhaps, is there a way to force an app uninstall from this shop? Is that something we can do ourselves, or do we need to contact support?
Thank you in advance!
Hi @AustinTildei
Currently there’s no way to silently uninstall the app from stores without user interaction.You can email those stores and ask them to uninstall your app.If you don’t want to do that either, you’ll probably have to check the requests in your webhook and just ignore them. @KyleG-Shopify , any thoughts?
Hey @AustinTildei, can you clarify what it means when someone installs out of band? If the app is currently installed and the merchant has approved the access, you should have an access token for it in the same way all other installations do.
For programmatic removal, we have an example here on how you can do that:
Hi @KyleG-Shopify , and thanks for the response! Let me see if I can add some extra details to explain our situation better.
Our app sets embedded = false in our TOML config file. Reading this page, this indicates we need to use the authorization code grant flow to obtain an access token to act on the shop’s behalf.
By “out of band”, I was referring to installing the Shopify app directly from the app listing. However, I should have refreshed my memory before posting. I was thinking that we initiated the OAuth redirect flow from my web app’s UI. In reality, we just direct users to the Shopify app store to install, which then sends them back to our web app’s UI, as configured on the App URL in our app’s config. This is how we begin the OAuth authorization code grant flow. Apologies for the confusion there, my mistake.
In the case of these merchants that install our Shopify app without being our customers - when they are redirected to our web app’s UI after Shopify app installation, they are prompted to login to our platform. Naturally, they aren’t able to do that, so we never complete the authorization code exchange, and never obtain an access token for the shop.
I would prefer not to complete any OAuth flows (and store any data) for shops that are not registered in my platform, but that leaves me in this state where shops are sending us webhooks that we don’t care about. Is this what other partners do to handle this situation, though? Complete the authorization code exchange regardless?
Given that we don’t have an access token for the shop, and (I assume) therefore can’t uninstall the app via API request as you suggested, are there any alternative options?
Thanks again, I appreciate yours and @kyle_liu ‘s prompt engagement.
Hey @AustinTildei,
Thanks for the extra detail, that makes sense.
If you’re receiving webhooks for that shop, the merchant would have completed OAuth.
I’d recommend treating all installs the same. Complete the token exchange first, then check if the merchant is a customer on your platform. If they haven’t signed up or logged in to complete setup within a set period, you can use the token to programmatically uninstall the app. The App Store requirements expect OAuth to complete before any other steps anyway.
Another option, if you only want webhook subscriptions for registered users, switch from app-managed webhooks (TOML) to subscribing via GraphQL. That way you control which shops get subscriptions instead of every install getting them automatically.
Is this a public app @AustinTildei ? Can you share the app store url?
Thanks, @KyleG-Shopify !
If you’re receiving webhooks for that shop, the merchant would have completed OAuth.
By “completed OAuth”, I meant completed the code-token exchange on my part. I do recognize that these shops in question have completed the authorization process for my application, which explains the webhooks flowing. Apologies for the confusion there.
Thank you for your recommendations! I’ll take these to my team for review and go from there.
Another option, if you only want webhook subscriptions for registered users, switch from app-managed webhooks (TOML) to subscribing via GraphQL. That way you control which shops get subscriptions instead of every install getting them automatically.
One question/concern with this option - what would happen to existing webhook subscriptions that were created via the TOML configuration? Would those remain, or would they all be canceled (unsubscribed)? Is that documented somewhere? I assume if they were canceled, we could re-subscribe like any other shop via the GraphQL API, since we have access tokens for the shops we want to listen for, but this would certainly be important to ensure we don’t lose webhook subscriptions we are interested in.
Hi @Liam-Shopify !
Yes, it is a public app. It can be found here: Tildei - Engage & convert your social followers. | Shopify App Store
Hey @AustinTildei,
I’d still lean toward Option 1 here if possible. Merchants who find your app on the App Store and install it are showing intent, so completing the token exchange for all installs and giving them a path to sign up could be a lead generation opportunity rather than something to filter out.
To answer your question on Option 2 though: removing the webhook topics from your TOML and deploying a new app version removes those app-managed subscriptions from all shops. To avoid a gap in deliverability you can subscribe via GraphQL for the shops you need and confirm they are active first, then you can remove them from the TOML.
1 Like