In embedded Shopify apps using Remix or React Router template, the frontend uses Shopify App Bridge to obtain a short-lived session token (JWT) from the Shopify Admin. That session token is generated in the context of the currently selected shop in the Admin. Each request can therefore be authenticated with the correct shop context via Authorization: Bearer .
Issue in non-embedded apps
In non-embedded apps (template with isEmbeddedApp: false), there is no App Bridge session token mechanism available to authenticate requests per tab / per shop.
Instead, authenticate.admin(request) relies on Shopify-managed cookies:
-
shopify_app_session -
shopify_app_session.sig
These cookies are set for the app domain and effectively behave as a single “active session” for the whole domain (often Path=/). As a result, if a user authenticates a second shop in another tab, the cookie is overwritten and all tabs start using the most recently authenticated shop on refresh.
Why this matters (real-world impact)
Our app is a CX/support tool. Some merchants operate multiple Shopify stores, but their support representatives are the same people working across all stores. They expect to work on multiple stores concurrently (like Shopify Admin itself supports via multiple tabs). With the current non-embedded auth behavior, they cannot keep separate shop contexts in different tabs—logging into another store “switches” all open tabs.
Expected behavior
A non-embedded app should support multi-shop usage in multiple tabs (or provide a recommended mechanism to do so) without the “last authenticated shop wins” behavior.
Any help or recommendations is appreciated!
