First, some context:
My company has an application listed on the Shopify app store.
We use app-managed webhook subscriptions, configured in our app’s TOML file.
For our customers, we direct them to install our Shopify app from our web application as part of the standard OAuth flow. The result of this gives us a shop-specific access token for each shop that authorizes our application.
We receive webhooks for these shops as expected, no problems there.
The problem:
However, it seems at least one shop (maybe more) has installed our Shopify application from the app listing directly, out of band from our application. This Shopify Shop is not a customer of ours, we do not know who they are.
It appears that because they installed our Shopify app, we are now subscribed to webhooks from that shop, just like any other shop that installs our application. But, since they installed out of band, we don’t have an access token for their shop, which means we can’t unsubscribe from webhooks for that shop (AFAICT).
We receive a fair amount of webhook traffic from this shop, which is meaningless for us, since they are not, nor ever were, our customer.
So the question is: is there a way for us to unsubscribe from webhooks for this particular shop? Or perhaps, is there a way to force an app uninstall from this shop? Is that something we can do ourselves, or do we need to contact support?
Thank you in advance!
Hi @AustinTildei
Currently there’s no way to silently uninstall the app from stores without user interaction.You can email those stores and ask them to uninstall your app.If you don’t want to do that either, you’ll probably have to check the requests in your webhook and just ignore them. @KyleG-Shopify , any thoughts?
Hey @AustinTildei, can you clarify what it means when someone installs out of band? If the app is currently installed and the merchant has approved the access, you should have an access token for it in the same way all other installations do.
For programmatic removal, we have an example here on how you can do that:
Hi @KyleG-Shopify , and thanks for the response! Let me see if I can add some extra details to explain our situation better.
Our app sets embedded = false in our TOML config file. Reading this page, this indicates we need to use the authorization code grant flow to obtain an access token to act on the shop’s behalf.
By “out of band”, I was referring to installing the Shopify app directly from the app listing. However, I should have refreshed my memory before posting. I was thinking that we initiated the OAuth redirect flow from my web app’s UI. In reality, we just direct users to the Shopify app store to install, which then sends them back to our web app’s UI, as configured on the App URL in our app’s config. This is how we begin the OAuth authorization code grant flow. Apologies for the confusion there, my mistake.
In the case of these merchants that install our Shopify app without being our customers - when they are redirected to our web app’s UI after Shopify app installation, they are prompted to login to our platform. Naturally, they aren’t able to do that, so we never complete the authorization code exchange, and never obtain an access token for the shop.
I would prefer not to complete any OAuth flows (and store any data) for shops that are not registered in my platform, but that leaves me in this state where shops are sending us webhooks that we don’t care about. Is this what other partners do to handle this situation, though? Complete the authorization code exchange regardless?
Given that we don’t have an access token for the shop, and (I assume) therefore can’t uninstall the app via API request as you suggested, are there any alternative options?
Thanks again, I appreciate yours and @kyle_liu ‘s prompt engagement.