Legacy custom app with webhooks

Hi there,

I recently attempted to create an integration with Shopify so that e-shops based in Greece can comply with Greek Tax Laws and MyData. For this, I used a custom app (now considered “legacy”) and provided instructions for shop owners to install it in their stores. The app essentially does one thing: it registers a few webhooks using the minimal permissions of read_orders, write_orders, read_products, and read_inventory. Its purpose is simply to trigger the generation of a valid invoice with the Greek Authorities’ UID in my base web app, which handles invoice creation and returns the PDF URL to the store as an order metafield.

Since “legacy custom apps” will be discontinued in less than a month, I started updating everything to the new OAuth2 flow with refresh tokens. But the most frustrating part is the required permissions that must be selected before Shopify allows webhook registration and message forwarding. As a result, the installation instructions for shop owners have essentially doubled in complexity.

This makes me wonder: am I doing something wrong? Tasks that were previously simple have become complicated, and users now need to approve and click through many steps for this to work.

Is there any alternative approach? Can a public app somehow hide or simplify all this initial setup? Since I’m new to this community, I’m really trying to understand whether the developer experience can be improved.

Hi @George_Drakakis,

This is actually expected behaviour, that Public Apps and Partner Custom Apps do need to have the merchant approve any access scopes that the app requires, with the approval taking place during the app installation process and after updating any scopes that the app requires later on, as mentioned in Shopify.dev documentation:

• About token acquisition

This is by design to ensure that merchant’s installing apps that they are not creating or are managing themselves, are able to review and approve any scopes that the app requires since it is giving permission to access certain data on their store.

The reason this step was not required with Legacy Custom Apps, is because they were created in the Merchant’s Admin directly, and needed to be created with a Merchant Staff or Partner Collaborator Account that already had the permissions required on the store with the account creating the app itself.

That all said, there is a new process for Custom App Authentication called Client Credentials Grant that replaces the old method of authentication with legacy apps.

• Using the client credentials grant

This authentication method is definitely simpler than the Authorization Code Grant workflow, as you just make a POST https://{shop}.myshopify.com/admin/oauth/access_token request with the Client ID and Client Secret in the request parameters, and does not require the merchant to approve the scopes themselves.

However you can only use this method, with a Custom App created in the Dev Dashboard from an account that belongs to the organization the app is installed on. Meaning:

• A Merchant Staff Account (not a Partner Collaborator Account) must create the app in the Dev Dashboard, in order to use Client Credentials Grant on the Merchant’s store.
• A Partner Account must create the app in the Dev Dashboard, in order to use Client Credentials Grant on a Partner Development store.

TLDR:

• If you do not want the merchant to have to approve any access scopes used with the app installed on the store, you have to use Client Credentials Grant with a Custom App installed on the store
• Public Apps cannot use this process and must use Authorization Code Grant, or Session Token Exchange, and requires the merchant to approve the scopes used.
• If you use Client Credentials Grant with a Custom App, the app has to be created via a Merchant Staff’s account logged into the Dev Dashboard. You can walk them through this process, and have them provide you with the Client Id and Client Secret displayed in the Dev Dashboard to use Client Credentials Grant.

Edit:

I apologize as I was incorrect with some of the information above, with a Custom App the merchant creates in the Dev Dashboard and installs on their store, they do still need to approve the access scopes requested in the app configuration (in the Dev Dashboard or the app’s .toml file)

When the merchant installs the app, they will be requested to approve the scopes, and when the scopes are updated the next time the merchant access the app in the admin they will be requested to approve the scopes.

While Client Credential Grant is definitely a simpler method of authentication, it does still require the merchant to manually approve the scopes the app needs. There is no way around this limitation at this time.

First of all, I really thank you Kellan for your fast and detailed answer!

You say “If you do not want the merchant to have to approve any access scopes used with the app installed on the store, you have to use Client Credentials Grant with a Custom App installed on the store”

That exactly is my case, I replaced the old not expiring admin Token with the new client_credentials grant ( that expires each day and needs to be refreshed, more complex code needed).

The custom (NOT PUBLIC) App is created by the shop owner in their dev dashboard and they install it in their store. They put their generated Client_id and secret to my web app and they give the shopify app the 4 permissions I mentioned and needed.

• By doing this with the new way the app doesn’t allow webhooks to be created because of “protected customer data”
• If you fill in the 1 step from the form ( that is not accessible through the dev dashboard so I googled it ) you are permitted to do the webhook registrations through the API, BUT
• The webhooks of orders/paid are not triggered, because it seems that you need to fill in the rest of the form as well. When I filled the form completely, orders/paid webhooks started working.

All those steps are not that clear and in the previous way not needed. You just needed to take the api token and select 4 permissions. The complexity is there for sure, unless I am missing something. If this is the way to go, fine. Already implemented everything but really wondering if giving the shop owners so many instructions for such an “easy” task is the best possible experience for them and if I am missing something critical since I am very new to this community.

Hi @George_Drakakis,

Thanks for the additional context, I do just want to point out the edit I made in my previous post, as I did share some incorrect information initially and corrected it after.

It does sound like you have a solid understanding of the needed workflow, and have it implemented already which is great, and unfortunately due to all apps being created in the Dev Dashboard now, including Merchant Custom Apps, all apps will require the merchant to approve the scopes to use them.

I think going forward you have two options for the simplest workflow for the merchant themselves.

Partner Custom App using Authorization Code Grant:

1. Create a Partner Custom App, in the Dev Dashboard from your own Partner Account
2. Implement Authorization Code Grant to set the scopes and get access tokens on install.
3. Provide the merchant with the install link from the Dev Dashboard when you select Custom Distribution.
4. Merchant will only need to visit the install link, then will be redirected to the scope approval page automatically, they simply have to press the button to install the app, then press the button to approve the scopes requested.

• This is the simplest for the merchant, but it does add complexity in your implementation with the Authorization Code Grant workflow.

Merchant Subscribed Webhooks:

1. Provide the Merchant with the webhook topic, and your webhook endpoint URL that you need to subscribe
2. Guide the merchant in their store’s admin to settings > notifications and have them subscribe the webhooks directly

• This method is less simple for the merchant, but it’s still not very complex and is a well documented process in our Shopify Help Center. This also does not require ANY apps on your end as the webhooks are subscribed directly via the merchant’s admin. This won’t be viable if your app does need to make any other API calls other than just subscribing to webhooks.
  • Shopify Help Center | Creating webhooks

I do understand that the new methods of app creation and authentication is not ideal, compared to the previous Legacy Custom App workflow. Our developers are aware of this and will be looking into way to improve this workflow in the future, and I will be submitting some feedback on your behalf internally regarding this as well.

Ι really thank you for your time, I’ll read your answer very carefully and I hope that’ll solve my issues.

Thanks again!