Hi,
We were trying to do a POC using Supabase and encountered an issue.
We ran npx shop-minis setup and received the API key, which is stored in src/.env as SHOP_MINIS_API_KEY.
We then added this value to our Supabase secrets as SHOP_MINIS_ACCESS_TOKEN.
The request we are sending:
Endpoint: https://shop.app/api/graphql
Method: POST
Headers:
Content-Type: application/json
X-Shopify-Access-Token: <key-from-src/.env>
Body:
{
"query": "mutation VerifyUserToken($token: String!) { userTokenVerify(token: $token) { publicId tokenExpiresAt userErrors { code field message } } }",
"variables": { "token": "<generated-token-from-useGenerateUserToken>" }
}
We tried updating the manifest file with our Supabase domain, but it didn’t work:
{
"name": "voice-searching",
"permissions": [
{
"permission": "network",
"reason": "Connect to Supabase backend for user authentication and data",
"domains": [
"supabase-project-ref.supabase.co"
]
}
],
"scopes": [
"product_list:write",
"openid"
]
}
Current status:
-
Token generation works correctly in the iOS simulator (we receive valid JWT tokens).
-
However, we are getting this error:
Refused to connect to https://supabase-project-ref.supabase.co/functions/v1/verify-shop-user
because it does not appear in the connect-src directive of the Content Security Policy.
Although we updated our manifest.json, the issue persists.
We then found the following information stating that the Shopify team must approve the domain:
“Shop Minis have strict network restrictions. You can’t just add domains to the manifest yourself — only Shopify-approved hosts are allowed.”
Could you please help us with the domain approval process ?