Guides
Authentication
Authenticate admin requests, handle OAuth, and manage sessions in shopify-app-nuxt.
Admin Authentication
Use useShopifyAdmin() in your server API routes to authenticate requests from the Shopify admin. The returned admin object provides a typed GraphQL client powered by @shopify/admin-api-client:
server/api/products.ts
export default defineEventHandler(async (event) => {
const { admin, session } = await useShopifyAdmin(event)
const { data } = await admin.graphql(`{
products(first: 5) {
edges {
node {
id
title
}
}
}
}`)
return data
})
GraphQL with variables
const { data } = await admin.graphql(
`#graphql
mutation populateProduct($input: ProductInput!) {
productCreate(input: $input) {
product {
id
title
}
}
}`,
{
variables: {
input: { title: 'New Product' }
}
}
)
Full AdminContext return type
| Property | Type | Description |
|---|---|---|
session | Session | The authenticated Shopify session |
admin | AdminApiContext | GraphQL API client |
sessionToken | JwtPayload | undefined | Decoded session token (embedded apps only) |
billing | BillingContext | Helpers for require(), check(), request() |
cors | (response) => Response | Add CORS headers to a response |
redirect | (url, init?) => Response | Redirect helper that works inside embedded iframes |
OAuth Routes
The module automatically registers these routes to handle the full OAuth flow:
| Route | Purpose |
|---|---|
GET /_shopify/auth | Start the OAuth flow |
GET /_shopify/auth/callback | Handle the OAuth callback from Shopify |
GET /_shopify/auth/exit-iframe | App Bridge iframe escape page |
GET /_shopify/auth/session-token | Session token bounce page |
The prefix /_shopify/auth is configurable via the authPathPrefix option in nuxt.config.ts.
You don't need to create these routes — the module registers them automatically. Just make sure your app's redirect URL is set to
{APP_URL}/_shopify/auth/callback in the Partners Dashboard.Other Authentication Types
Shopify Flow
server/api/flow.ts
export default defineEventHandler(async (event) => {
const { session, admin, payload } = await useShopifyFlow(event)
// Handle Flow trigger/action
})
Public requests (checkout extensions, etc.)
server/api/public/widget.ts
export default defineEventHandler(async (event) => {
const { sessionToken, cors } = await useShopifyPublic(event)
// sessionToken contains the decoded JWT payload
// Use cors() to wrap your response with CORS headers
})
POS extensions
server/api/pos/action.ts
export default defineEventHandler(async (event) => {
const context = await useShopifyPos(event)
// Handle POS extension request
})
Fulfillment service
server/api/fulfillment.ts
export default defineEventHandler(async (event) => {
const context = await useShopifyFulfillmentService(event)
// Handle fulfillment service callback
})
Unauthenticated access (background jobs)
For accessing the Shopify API without an incoming request (cron jobs, background tasks):
server/api/cron/sync.ts
export default defineEventHandler(async () => {
const { admin } = await useShopifyUnauthenticatedAdmin(
'my-shop.myshopify.com'
)
const { data } = await admin.graphql(`{
products(first: 10) { edges { node { id title } } }
}`)
return data
})
Merchant login (non-embedded apps)
server/api/login.ts
export default defineEventHandler(async (event) => {
const { errors } = await useShopifyLogin(event)
// Handle login for non-embedded app flows
})