Subject: Storefront chat (theme extension) works only with localhost URLs; replacing with Fly domain breaks, so Customer Accounts OAuth can’t work

Extensions
1

Hello! I’m building a Shopify app + theme app extension (storefront chat widget) following the “Storefront AI agent / Customer Accounts (MCP)” tutorial. I’m stuck with production authorization.

Context

  • Shopify app backend (deployed on Fly, public .fly.dev domain)

  • Theme app extension injects chat.js on storefront

  • Customer Accounts OAuth (PKCE) is used with scope customer-account-mcp-api:full

  • Callback endpoint on backend: /auth/callback

Core issue (not just “redirect_uri = localhost”)

My storefront widget works only when chat.js points to local endpoints:

const streamUrl = ‘``https://localhost:3458/chat``’;
const historyUrl = https://localhost:3458/chat?history=true&conversation_id=${encodeURIComponent(conversationId)};
const tokenUrl = ‘``https://localhost:3458/auth/token-status?conversation_id=``’ + encodeURIComponent(conversationId);

But the moment I replace localhost with my Fly domain (same paths: /chat, /auth/token-status, etc.), the widget/app “crashes” and the flow stops. Because of that, I can’t complete Customer Accounts OAuth in production.

What I see in production

  • When trying to authenticate customers, Shopify shows “Verkeerde redirect_uri” and the request contains redirect_uri=https://localhost:3458/auth/callback.

  • I understand that localhost can’t be used in prod, but I can’t switch to the Fly domain because the storefront chat stops working when I do.

What I already configured

  • In shopify.app.toml I added redirect URLs pointing to the Fly domain (multiple callback variants).

  • In environment variables I tried setting REDIRECT_URL to the Fly /auth/callback.

  • App is installed and permissions are granted.

What I need help with

What are the common reasons a theme-extension storefront script works with localhost but breaks when pointed to a real HTTPS domain?

I suspect something like:

  • CORS / missing allowed origins for the storefront domain

  • cookies or sessions not being set due to SameSite / Secure rules (cross-site storefront → Fly domain)

  • blocked third-party cookies affecting OAuth/session storage

  • websocket / SSE blocked or misconfigured behind Fly proxy

  • wrong “app URL” / “HOST” env causing auth URLs to still be generated with localhost

Which exact settings should I check on Shopify app + backend to make Customer Accounts OAuth work from a storefront extension in production?

If needed, I can provide:

  • backend logs when the widget “crashes”

  • network errors from browser devtools (CORS, 4xx/5xx, websocket errors)

  • the headers/config I’m using for CORS and cookies

Thanks!

All screens in one place here.

images
images1238×4466 592 KB