To setup your Shopify app in Cobalt for OAuth, you will need the following credentials from your Shopify Partner Dashboard:

  • Client ID
  • Client Secret
  • Scopes

Pre-requisites

  1. Shopify Developer account or Shopify Partners account. You can create one here.
  2. Shopify development store. Follow the steps here to create a development store.
If you haven’t already created an app in Shopify, you’d need to create one.

Creating an app in Shopify

To create a Shopify app and acquire the above mentioned credentials, please follow the steps mentioned below:

  1. Log in to your Shopify Partner Dashboard.
  2. Click on Apps in the left menu of the Dashboard.
  1. Click on the Create App button in the top right and choose Create App Manually.
  2. Enter the unique App Name for your application and click on Create.
  3. In Cobalt, go to your Apps catalog > Search for Shopify > Settings > Use your credentials > Callback Url. Copy the Callback URL as provided in your Shopify settings page.
  4. In the App settings in Shopify Partner Dashboard, navigate to Build > Configuration > URLs section > Remove the default URL present in Allowed redirection URL(s) > Paste the copied Callback Url > Click on the Save and Release button in the top side > Release.
  1. Navigate to Overview in the left menu and copy the Client ID and Client Secret from the Client credentials section.

Configuring credentials in Cobalt

App settings page lets you configure the authentication settings for an OAuth2 based application. For your customers to provide you authorization to access their data, they would first need to install your application. This page lets you set up your application credentials.

Provide the acquired Client ID and Client Secret under Settings of the app and save it.

Configuring Scopes

Cobalt lets you configure what permissions to ask from your users while they install your application. The scopes can be added or removed from the App settings page, under Permissions & Scopes section.

For some applications Cobalt sets mandatory scopes which cannot be removed. Additional scopes can be selected from the drop down. Cobalt also has the provision to add any custom scopes supported by the respective platform.

Once the scopes has been added to the application in Cobalt, the app will now request for access of the mentioned scopes.

If you are facing scopes missing or invalid scope error. Make sure you are not passing any custom scope not supported by the platform.

Access to protected customer data

Some Shopify APIs alongwith the scopes, also require access to protected customer data. For eg. Abandoned checkouts, Draft Order etc.

To Request Access of protected customer data:

  1. In the left menu of the App, select API access.
  2. Scroll down to Access requests section > Protected customer data access > Request access.
  1. Select Protected customer data, provide your reasons for using it, and click Save.
  2. Complete rest of the requirements and submit the app for review.
To learn more about protected customer data, visit here.

Managing Distribution of the Shopify App

To setup Shopify App Distribution:

  1. In the left menu of App settings, navigate to Release > Distribution.
  2. Choose Public distribution from Select a distribution method.

You can’t change the distribution method after you select it, so make sure that you understand the different capabilities and requirements of each type.

  1. Click on Select and confirm the distribution selected.

Going Live with Shopify

Once you have tested the Shopify integration with Cobalt using a test shop, it is time to publish your application so that other production shops of different organizations can install/authorize your application.

Shopify mandates publishing and listing of your application in order to be installed by other users from different organizations. This requires a review from the Shopify team who make sure that the application is installed through their marketplace as well and not just through the installation URL generated through Cobalt’s SDKs.

To list your application on Shopify, the following steps need to be followed:

1. Setup App URL page

As soon as the user clicks to install your application on Shopify’s marketplace, they are redirected to the App URL provided by you in the Shopify app configuration.

Make sure a page exists for the URL provided or create a new page. This page would be responsible for handling installation requests.

When the user is redirected to the App URL page, you can access the shop_name from the URL argument shop.

Create another page to handle the redirect URL. Then using the Redirect page URI, Client ID, Shop name and required scopes, generate the following Shopify auth URL and open it in the browser for the user redirected to the App URL page. This opens up the Shopify permission page.

https://{Shop_Name}/admin/oauth/authorize?client_id={SHOPIFY_CLIENT_ID}&redirect_uri={REDIRECT_CALLBACK_URL}&scope={SHOPIFY_SCOPES}

2. Setting up Redirect URL page

In the previous step, we created a page to handle redirect URI and used that to generate the Shopify auth URL. Add the Redirect URL as one of the Allowed Redirection URLs in the application configuration.

Once the user allows permissions from the Shopify permission page, the user is redirected to to this page. The URL consists of the shop name and a code.

3. Acquiring access token from redirect URL

Make use of the shop name and code from the previous step to make an API call to get the Access token.

curl --location --request POST 'https://{Shop-Name}.myshopify.com/admin/oauth/access_token?client_id={Client-ID}&client_secret={Client-Secret}&code={Code}'

Replace the Client ID and Client Secret with your valid credentials. This will provide you with a response consisting of the access token and shop name. Migrate the acquired token to Cobalt.

4. Migrating access token to Cobalt

Once the access token is acquired, send it to Cobalt for further handling API authentications, token expiries and retries.

curl --location --request PUT 'https://api.gocobalt.io/api/v2/public/migrate-token' \
--header 'x-api-key: {{Cobalt API KEY}}' \
--header 'linked_account_id: {{LINKED_ACCOUNT_ID}}' \
--header 'Content-Type: application/json' \
--data '{
    "slug":"shopify",
    "auth_object":{
        "access_token": {{Access Token}},
        "store_name": {{Store Name}}
    }
}'

Replace the API key, linked account ID, access token and store name with the valid values.

5. Subscribing to mandatory privacy webhooks

Shopify requires you to provide compliance webhook URLs to publish applications to the marketplace. They use this webhook URL to notify regarding Customer data requests, Customer data erasure, and Shop data erasure so that relevant action be taken.

Copy the Single webhook URL from the Cobalt Shopify app setting page and paste them as Shopify Compliance webhooks URLs in the Shopify app configuration page. Click Save and release at the top to save your changes.

  • Creating workflows to respond to privacy webhooks

Next, create 3 workflows that listen for these triggers in the workflow builder and publish them for all users:

  1. Customer data request (Customer Data Requested Trigger)
  2. Customer data erasure (Delete Customer Data Requested Trigger)
  3. Shop data erasure (Delete Shop Data Requested Trigger)

Actions and triggers

Once the above setup is completed, you can create orchestrations of your use-cases using Shopify actions and triggers. Following are the set of Shopify actions and triggers supported by Cobalt.