Customer Portal

Handle OAuth callback from Shopify

OAuth 2.0 callback endpoint that receives the authorization code from Shopify after customer authorization. This endpoint is called automatically by Shopify after the customer authorizes the app.

Full behavior, validation rules, and side effects

Flow:

Shopify redirects customer here with authorization code and state
Validates state parameter to prevent CSRF
Exchanges authorization code for access token using PKCE verifier
Validates ID token (JWT) from Shopify
Stores access token and refresh token securely
Redirects customer back to original return URL

Security:

Validates state parameter matches stored value
Uses PKCE code verifier to exchange authorization code
Validates ID token signature and claims
State expires after 10 minutes

Error Handling:

If customer denies authorization, redirects with error parameter
If token exchange fails, redirects with error parameter
All errors are logged for debugging

Note: This endpoint should not be called directly - it’s invoked by Shopify’s OAuth redirect.

GET

subscriptions

api

customer-account-api

oauth

callback

Handle OAuth callback from Shopify

curl --request GET \
  --url https://www.myshop.com/apps/subscriptions/cp/api/customer-account-api/oauth/callback

Query Parameters

code

string

Authorization code from Shopify (if successful)

state

string

required

State parameter for CSRF protection

error

string

Error code if authorization failed

error_description

string

Human-readable error description

Response

Redirects to return URL with success or error parameter

Check Customer Account API authentication status

Logout from Customer Account API

Handle OAuth callback from Shopify

curl --request GET \
  --url https://www.myshop.com/apps/subscriptions/cp/api/customer-account-api/oauth/callback

Documentation Index

Query Parameters

Response