Ayush Soni

How to Identify Logged-In Users in Your Shopify App in 2025: A Step-by-Step Guide

|
6 min read

Why Identifying Logged-In Users Matters in Shopify Apps

Hey there, I’m Ayush, and if you’re building a Shopify app in 2025, you’ve probably run into this issue: the email provided for a shop isn’t always reachable, and worse, it doesn’t tell you who is actually using your app.

When someone installs your app or logs in via the Shopify dashboard, you need to know who they are, not just the generic shop email tied to the account. This is critical for personalizing experiences, troubleshooting, or even ensuring proper account management.

The default setup doesn’t give us this granularity, so I’ve figured out a clean way to solve it using Shopify’s authentication tools. Let’s dive into the problem and the solution.

The current challenge? The shop email (e.g., info@store.com) is often a info or an admin address that doesn’t reflect the actual human installing or managing the app. We need to identify the active user logging in from the Shopify dashboard.

Step 1: Get a Session Token from Shopify App Bridge

The first thing you need is a session token. Shopify’s App Bridge makes this easy. This token is a secure way to authenticate the user’s session in your embedded app.

Here’s how to grab it:

  • Use the App Bridge library in your frontend code to retrieve the session token.
  • Shopify provides a handy guide for this: Step 1: Get a Session Token.

In your JavaScript code, it might look something like this:

import createApp from "@shopify/app-bridge";
import { getSessionToken } from "@shopify/app-bridge-utils";

const app = createApp({
  apiKey: SHOPIFY_API_KEY,
  host: HOST,
});

const sessionToken = await getSessionToken(app);

This sessionToken is your golden ticket. It’s tied to the user currently interacting with your app in the Shopify dashboard. Now, let’s move it to the backend.

Step 2: Send the Session Token to Your Backend

Once you’ve got the session token, send it to your backend server (e.g., via a POST request). On the server side, you’ll use this token to exchange the sessionToken for accessToken using Shopify’s GraphQL API.

Here’s the flow:

  1. Your frontend sends the session token to your backend (e.g., /api/identify-user endpoint).
  2. Your backend takes that token and prepares to exchange it for more detailed user info.

We’ll cover the exchange in the next step, but for now, ensure your server is set up to handle this token securely. I typically use Remix, but you can adapt this to your stack.

Step 3: Exchange the Session Token for an Access Token and User Data

Now, the magic happens. You’ll exchange the session token for an online access token, which includes details about the logged-in user. Shopify’s token exchange process is well-documented here: Step 2: Get an Access Token.

client_id - Your Shopify app’s Client ID from the Partner account

client_secret - Your Shopify app’s Client Secret from the Partner account

Make a POST request to the shop’s OAuth endpoint:

POST https://{shop}.myshopify.com/admin/oauth/access_token

curl -X POST \\
  https://{shop}.myshopify.com/admin/oauth/access_token \\
  -H 'Content-Type: application/json' \\
  -H 'Accept: application/json' \\
  -d '{
      "client_id": "{client_id}",
      "client_secret": "{client_secret}",
      "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
      "subject_token": "{session_token}",
      "subject_token_type": "urn:ietf:params:oauth:token-type:id_token",
      "requested_token_type": "urn:shopify:params:oauth:token-type:online-access-token"
  }'

The response will look like this:

{
  "access_token": "f85632530bf277ec9ac6f649fc327f17",
  "scope": "write_orders,read_customers",
  "expires_in": 86399,
  "associated_user_scope": "write_orders",
  "associated_user": {
    "id": 902541635,
    "first_name": "John",
    "last_name": "Smith",
    "email": "john@example.com",
    "email_verified": true,
    "account_owner": true,
    "locale": "en",
    "collaborator": false
  }
}

Boom! You’ve got the user’s details, first_name, last_name, email, and more. The associated_user object tells you exactly who’s logged in, not just the shop email.

Step 4: Store and Use the Data

Once you’ve got this data, store it in your database (e.g., tied to the shop domain or user ID). You can use it to:

  • Personalise the app experience.
  • Send targeted notifications to the actual user.
  • Debug issues by knowing who’s interacting with your app.

Wrapping Up

And there you have it! No more sending emails into the void. With this little trick, you'll always know exactly who's using your app - just grab that session token, do a quick swap on the backend, save the good stuff, and you're set.

Have you found a different solution that works better for you? Or maybe you've got questions about implementing this? Drop me a message! Until next time, keep building awesome things!

Happy coding,

Ayush Soni

Originally Inspired from Shashank Kumar
Smart Authentication for Shopify Apps