Shopify API Authentication

Every Shopify API call looks something like this: https://api_key:password@some-store.myshopify.com/admin/some-resource For example, the following call fetches all of some-shop’s orders: https://API_KEY:SOME_PASSWORD@some-shop.myshopify.com/admin/orders.xml

Without a valid API key and password, nothing works.

This article covers how to find and generate those two credentials.

API keys and secrets

Each Shopify application has an API key and a secret known only to you and Shopify. Don’t ever share this secret – if someone else gets a hold of it, they’ll be able to access anything your application has access to (which is really bad if shop owners have trusted you and only you with taking safe care of their data).

To illustrate the process of authentication, let’s say that you’ve created a Shopify application called Mega Invoice, and it has an API key “invoice-api-key”, and a secret “hush”.

We can see these credentials in this screenshot from the Shopify Partners admin:
Under normal circumstances, the API key and secret are strings of random characters (e.g. “f26eb9d7cd1352014d22a54e13bf6259”) but we’ll keep it simple for this example.

Mega Invoice is set up at http://megainvoice.com so you’ve configured so that after installation, it redirects shop owners to http://megainvoice.com/welcome

We can see the return url from this screenshot from the Shopify Partners admin:

Installation Walkthrough

Now that we’ve set the stage, let’s walk through a shop owner installing Mega Invoice:

1. A shop owner is amazed by your marketing on the app store, and ends up looking at the “Installing Mega Invoice” screen, otherwise accessible by doing a GET <shop url>/admin/api/auth?api_key=<API key>
   
2. The shop owner clicks “Install”, and in doing so, grants your application access to their shop’s data.
3. Shopify redirects to Mega Invoice’s return url, and appends the shop name and an authentication token as parameters: GET http://megainvoice.com/welcome?shop=some-shop.myshopify.com&t=a94a110d86d2452eb3e2af4cfb8a3828 (In this case, the authentication token t is a94a110d86d2452eb3e2af4cfb8a3828)
4. Mega Invoice concatenates its secret with authentication token t and hashes the result into an MD5 hexdigest to generate the API password: password = MD5.hexdigest(secret + t) which in our example looks like: password = MD5.hexdigest("hush" + "a94a110d86d2452eb3e2af4cfb8a3828") so the generated password specific to Mega Invoice and some-shop is 36b29a08b3113077f14777570c0577ed Note that the order of parameters matters when you hash the secret + token – it must be in this order.
5. That’s it! We’re done: we know the Mega Invoice API key and the password, so we can run an API call like this: https://invoice-api-key:36b29a08b3113077f14777570c0577ed@some-shop.myshopify.com/admin/orders.xml and receive all of some-shop’s orders.