{{ ('Shopify') }} {{ ('settings') }}.

{{ __('Configure Shopify app credentials so workspaces can connect their stores and receive WhatsApp notifications for orders, customers, and abandoned checkouts.') }}

{{-- ─────────────────────────────────────────────────────── Step-by-step "How to create your Shopify app" guide. Mirrors the setup-steps pattern on /shopify so admins see the same affordances customers see. ─────────────────────────────────────────────────────── --}}

{{ __('Follow these six steps on the Shopify Dev Dashboard to issue the credentials you paste below. This only needs to happen once for the whole platform — every workspace then uses the same app via OAuth.') }}

1

{{ __('Create a Shopify Partners account') }}

Go to {{ __('partners.shopify.com/signup') }} and sign in with the email that will own this integration. Partners accounts are free.
2

{{ __('Open the Dev Dashboard and create an app') }}

From your Partner account open the {{ __('Shopify Dev Dashboard') }} → {{ __('Apps → Create app') }}. Pick Public app (so any Shopify merchant can install). Name it after your platform.

{{ __('Note (2026):') }} legacy custom apps created from {{ __('Shopify Admin → Apps') }} can no longer be created since Jan 1, 2026 — you must use the Dev Dashboard or Shopify CLI.
3

{{ __('Set the App URL and Allowed redirection URL') }}

In the app's {{ __('Configuration') }} tab, scroll to {{ __('URLs') }}. Paste these exactly — the redirect URL must match what we send to Shopify or OAuth fails with {{ __('redirect_uri mismatch') }}:

{{ __('App URL') }}

{{ __('Allowed redirection URL(s)') }}
4

{{ __('Copy the API credentials') }}

Open {{ __('Configuration → Client credentials') }}. Reveal both values and paste them into {{ __('Client ID') }} (a.k.a. {{ __('API Key') }}) and {{ __('Client secret') }} (a.k.a. {{ __('API Secret Key') }}) below. The secret is shown once — copy it carefully.
5

{{ __('Add mandatory GDPR webhooks') }}

In {{ __('Configuration → Compliance webhooks') }}, set all three URLs to the endpoint below. Shopify requires these before App Store submission and silently fails install otherwise.

Topics: {{ __('customers/data_request') }}, {{ __('customers/redact') }}, {{ __('shop/redact') }}. Each Shopify webhook is HMAC-SHA256 signed with your Client Secret — we verify {{ __('X-Shopify-Hmac-Sha256') }} on every delivery.
6

{{ __('Enable Shopify here & save') }}

Tick the {{ __('Enable Shopify') }} switch in the credentials box and hit {{ __('Save changes') }}. Workspace owners can now connect their stores at /shopify.

{{ __('Client ID') }} * {{ __("Also known as the API Key. Found in your Shopify app's API credentials tab.") }} {{ __('Client secret') }} * {{ __('Also known as the API Secret Key. Stored encrypted; never rendered back. Leave blank to keep the saved one.') }} {{ __('API access scopes') }} Comma-separated. Default {{ __('read_products,read_orders,write_orders,read_customers,read_checkouts,read_inventory') }} is enough for order/customer messaging + product sync. Note: {{ __('read_orders') }} only exposes the last 60 days — request {{ __('read_all_orders') }} from Shopify if you need historical data. Changing scopes forces every store to re-authorize. {{ __('Redirect URI') }}

Paste this in your Shopify app's "Allowed redirection URL(s)" field. Leave blank to auto-generate. {{ __('Webhook endpoint') }} (auto-generated)

{{ __('Each connected store gets its own webhook secret — this is the URL pattern.') }}

@php $checks = [ 'credentials saved' => $clientId !== '' && $hasSecret, 'feature enabled' => $enabled, 'redirect set' => $redirectUri !== '', ]; @endphp @foreach ($checks as $label => $ok) {{ $ok ? '✓ ' : '○ ' }}{{ $label }} @endforeach

{{ __('In the') }} {{ __('Dev Dashboard') }} → your app → {{ __('Configuration → Client credentials') }}. Rotate the secret if it leaks.

{{ __('See') }} {{ __('access-scopes docs') }}. Adding scopes after install requires every store to re-authorize.

{{ __('Must match') }} {{ __('Allowed redirection URL(s)') }} in the app config exactly — protocol, host, path, no trailing slash.

{{ __('We target the stable') }} 2026-01 Admin API. Shopify ships a new version each quarter; non-breaking on minor releases.

{{ __('Every incoming Shopify webhook carries') }} {{ __('X-Shopify-Hmac-Sha256') }}; we verify against the raw request body using your Client Secret and reject mismatches with 401.

{{ __('OAuth authorization code grant →') }} {{ __('HTTPS webhook delivery →') }} {{ __('Privacy law compliance webhooks →') }} {{ __('API versioning →') }} {{ __('Legacy custom apps deprecated (Jan 2026) →') }}

{{ __('Install on a development store first and walk through OAuth + a test order webhook before enabling for paying merchants.') }}

{{ ('Shopify') }} {{ ('settings') }}.

{{ __('How to create your Shopify app') }}

{{ __('App credentials') }}

{{ __('Install readiness') }}

{{ __('Live across workspaces') }}

{{ __('Shopify') }} {{ __('settings') }}.

{{ __('How to create your Shopify app') }}

{{ __('App credentials') }}

{{ __('Install readiness') }}

{{ __('Live across workspaces') }}

{{ ('Shopify') }} {{ ('settings') }}.