Session -> Access Token exchange with managed install query params

Hi there,

I’m experimenting with managed installs, and I noticed there are query params included when the merchant loads our embedded app with managed installs enabled.

I assumed the id_token or session query string parameter was a session token, but the tokens exchange API endpoint is always returning a 400 error (Bad session token).

Is it not possible to actually server side render with a managed install at this time? Meaning, I always have to use the session token retrieval on the frontend through the App Bridge?

I was really hoping I could do the initial session token → access token exchange on the server side before the client side is rendered.

Thanks,

This turning into a self answering question.

So it looks like the future of Shopify apps is managed installs.

The difference is that you set your access scopes within the shopify.app.toml and then Shopify will perform the OAuth handshake for you.

When the merchant installs your app, they’re immediately redirected to your app’s home URL (as defined in your app settings).

At this point, the merchant is already authenticated, and the session token information is included in the query string on first load.

Then you can use the Access Token Exchange API to exchange the session token for offline (or online) access tokens.

Alternatively, you can just use the AppBridge on the frontend to retrieve the session token, and then send it to your app’s backend for the exchange.

So, in some ways the Shopify Node API OAuth callback system is an older way of going about it, and it is not compatible with managed installs, because the managed installs flow does not include cookies.

For anyone else (or future me) that forgets about this and tries to use the Shopify Node API package, don’t try to use managed installs with the OAuth features of this package. Instead just perform the token exchange given the session token once the merchant opens your home URL.

Hey Dylan!

Thanks for coming back to update on how access scopes and OAuth is managed - do you have any outstanding questions on this that I can help answer?

All good thanks @Liam-Shopify

The managed installs plus token exchange method is working brilliantly. Very happy with it.

The only feedback I have is that this new route doesn’t have as much documentation or tooling as the other way.

There’s no session → access token exchange support built into the officially Shopify Node.js library yet as far as I can see.

And all of the official Node.sj tutorials use the self-managed OAuth callbacks.

But this definitely a huge step in the right direction DX wise.