I’m experimenting with managed installs, and I noticed there are query params included when the merchant loads our embedded app with managed installs enabled.
I assumed the id_token or session query string parameter was a session token, but the tokens exchange API endpoint is always returning a 400 error (Bad session token).
Is it not possible to actually server side render with a managed install at this time? Meaning, I always have to use the session token retrieval on the frontend through the App Bridge?
I was really hoping I could do the initial session token → access token exchange on the server side before the client side is rendered.
So it looks like the future of Shopify apps is managed installs.
The difference is that you set your access scopes within the shopify.app.toml and then Shopify will perform the OAuth handshake for you.
When the merchant installs your app, they’re immediately redirected to your app’s home URL (as defined in your app settings).
At this point, the merchant is already authenticated, and the session token information is included in the query string on first load.
Then you can use the Access Token Exchange API to exchange the session token for offline (or online) access tokens.
Alternatively, you can just use the AppBridge on the frontend to retrieve the session token, and then send it to your app’s backend for the exchange.
So, in some ways the Shopify Node API OAuth callback system is an older way of going about it, and it is not compatible with managed installs, because the managed installs flow does not include cookies.
For anyone else (or future me) that forgets about this and tries to use the Shopify Node API package, don’t try to use managed installs with the OAuth features of this package. Instead just perform the token exchange given the session token once the merchant opens your home URL.