Performing Authentication

This is applicable only to public Shopify apps. Private apps can simply use the 'app api password' as an access token.

Get the install URL

After creating an api object and setting at least the shop domain and api key, call installURL():

$url = $api->installURL();
// https://myshop.myshopify.com/admin/oauth/authorize?client_id=1111111111&scope=

You should usually specify an array of scopes (permissions) and a URL to redirect the user to at the end:

$url = $api->installURL($afterInstallUrl, ['read_products', 'write_products']);
// https://myshop.myshopify.com/admin/oauth/authorize?client_id=1111111111&scope=read_products,write_products&redirect_uri=http%3A%2F%2Fexample.com%2Fdone

You should then redirect the user to this URL.

If you're making an app with the EASDK, use echo $easdk->hostedRedirect($url); exit; to ensure you break out of the embedded iframe for the redirect.

Get an access token

After the user picks to install your app, they'll be redirected to the URL you provided above. When you handle the request to this URL, you must exchange the provided code for a real access token.

After creating an api object and setting at least shop_domain, api_key and api_secret, call getAccessToken().

$verify = $api->verifyRequest($request->all());
if (!$verify) {
  // Something's wrong with the data provided, redirect the user back to install.
  return abort(400);
}

$shopDomain = $request->get('shop');
$code = $request->get('code');

$api->setup([
  'SHOP_DOMAIN' => $shopDomain
]);

try {
  $accessToken = $api->getAccessToken($code);
} catch (Exception $ex) {
  // Handle authentication error ...
  return abort(500);
}

// Save $accessToken and $shopDomain.

Verify OAuth Data

Shopify returns a hashed value to validate the data against. To validate (recommended before calling getAccessToken()), utilize verifyRequest().