Shopify app frontends 

Gadget offers a comprehensive toolkit for quickly constructing frontends for Shopify Apps. When connecting a Gadget app to Shopify, it automatically includes a basic, hosted frontend powered by Vite. This frontend comes preloaded with support for OAuth, Shopify's Polaris design system, multi-tenant data security, and integration with Shopify's App Bridge for embedded applications. You have the flexibility to customize this frontend according to your preferences, or you can create an entirely new external frontend from scratch using Gadget's React packages.

Frontends for Shopify apps interact with Gadget backends through the GraphQL API specific to your Gadget app, along with the corresponding JavaScript client for your application. To work with Gadget from a Shopify app frontend, there are several npm packages that are essential:

PackageDescriptionAvailable from
@shopify/app-bridgeShopify's React package for embedding React applications within the Shopify Adminnpm
@gadget-client/example-appThe JS client for your specific Gadget applicationGadget NPM registry
@gadgetinc/reactThe Gadget React bindings library, providing React hooks for making API callsnpm
@gadgetinc/react-shopify-app-bridgeThe Gadget Shopify wrapper library for Shopify Embedded App setup and authenticationnpm

Gadget installs these packages into your Gadget-hosted frontend automatically, but if you're building an external frontend you must install them yourself.

Once you've set up your Shopify connection, your Gadget app will have a built-in frontend ready for construction in your app's frontend folder. This frontend can access data from your backend, including both models synced from Shopify and models created within your application. By default, your app uses React and Shopify's standard @shopify/app-bridge-react library, so Shopify's normal helpers for navigation and data fetching are ready for use as well.

Gadget frontends for Shopify include Shopify's design system Polaris via the @shopify/polaris package as well, so your app is compliant with Shopify's App Store guidelines out of the box.

If you'd like to build your frontend outside of Gadget, refer to the external frontends guide.

Reading data from your backend 

To facilitate easy access to data from your Gadget application, including both the non-rate-limited copies of Shopify models and your custom models, you can leverage the @gadgetinc/react hooks library in your frontend. This library provides a set of hooks, such as useFindOne, useFindMany, and useFindFirst, specifically designed for fetching data from your Gadget app.

When utilizing these hooks, each one returns an object that includes the requested data, the current fetching state, and an error object if any error occurred during the data retrieval process. Additionally, the returned object includes a refetch function that allows you to refresh the data if needed.

By using the provided hooks from the @gadgetinc/react library, you can easily fetch and manage data from your Gadget app within your frontend code. These hooks simplify the process of data retrieval, provide relevant states and error handling, and offer a convenient mechanism for refreshing the data when necessary.

For example, if you have the Shopify Product model enabled in your Connection, we can fetch product records in a variety of ways:

jsx
1// fetch one product by id
2const [{ data, fetching, error }, refetch] = useFindOne(api.shopifyProduct, 10);
3
4// fetch the first 10 products
5const [{ data, fetching, error }, refetch] = useFindMany(api.shopifyProduct, { first: 10 });
6
7// fetch the first product with the title field equal to "Socks", throw if it isn't found
8const [{ data, fetching, error }, refetch] = useFindFirst(api.shopifyProduct, { where: { title: "Socks" } });
9
10// fetch the first product with the title field equal to "Socks", return null if it isn't found
11const [{ data, fetching, error }, refetch] = useMaybeFindFirst(api.shopifyProduct, { where: { title: "Socks" } });

Data from other models that you've created in your application is accessed the same way. For example, if we're building a free shipping banner app, you might create a Banner model that stores details about each shipping banner created. We can fetch banner records with the same React hooks:

jsx
// fetch one banner by id
const [{ data, fetching, error }, refetch] = useFindOne(api.banner, 10);
// fetch the first 10 banners
const [{ data, fetching, error }, refetch] = useFindMany(api.banner, { first: 10 });

Each of these hooks must be wrapped in a React component to render. For example, we can use useFindMany to display a list of products in a component:

jsx
1import { useFindMany } from "@gadgetinc/react";
2import { api } from "../api";
3
4export const ProductsList = (props) => {
5 const [{ data, fetching, error }, _refetch] = useFindMany(api.shopifyProduct, { first: 10 });
6
7 if (fetching) {
8 return <div>Loading...</div>;
9 }
10
11 if (error) {
12 return <div>Error: {error.message}</div>;
13 }
14
15 return <ul>
16 {data.map((product) => <li key={product.id}>{product.title}</li>)}
17 </li>
18}

For more on reading data in the frontend, see the building frontends guide and the @gadgetinc/react reference.

Shopify permissions 

Gadget incorporates multi-tenant data permissions as the default configuration for your application. By default, an app loaded for a specific Shopify shop can only access data within that particular shop and is not authorized to access data from other shops. This default setup utilizes the Shopify App User role for enforcing these permissions, and you have the flexibility to customize the permissions for this role on the Roles & Permissions page.

In Gadget, multi-tenant data permissions are automatically enforced for Shopify models. However, access to your own models is not automatically granted. To enable frontend access to your models, you need to assign permissions to the Shopify App User role for each model you wish to make accessible. For instance, if you want to access a model named Banner, you can navigate to the Roles & Permissions screen and select the Read permission checkbox for the Banner model.

For further guidance and details on managing access control, refer to the access control guide, which provides comprehensive information on configuring and customizing data permissions in Gadget.

Writing data back to your backend 

Shopify app frontends can use the useAction and useGlobalAction hooks from the @gadgetinc/react hooks library to write data back to your database.

To update data within Shopify, you must make an API call to Shopify directly from your backend. See the Calling Shopify API section for more information.

To write data back to your database for models you've created, or fields you've added to Shopify Models, use the useAction or useGlobalAction hook in a React component.

For example, if we create a new model within our app called Banner, we can use the useAction hook to create a new banner record:

jsx
1import { useAction } from "@gadgetinc/react";
2import { api } from "../api";
3
4export const CreateBannerForm = (props) => {
5 const [message, setMessage] = useState("");
6 const [{ data, fetching, error }, act] = useAction(api.banner.create);
7
8 if (fetching) {
9 return <div>Saving...</div>;
10 }
11
12 if (error) {
13 return <div>Error: {error.message}</div>;
14 }
15
16 return (
17 <form
18 onSubmit={() => {
19 // run the action function when the form is submitted
20 // the component will re-render with `fetching: true` initially, and then when the response arrives, render again with the result in `data`.
21 void act({ message });
22 }}
23 >
24 <label>Message</label>
25 <textarea onChange={(e) => setMessage(e.target.value)}>{message}</textarea>
26 <input type="submit" />
27 </form>
28 );
29};

For more details on the useAction hook, see the @gadgetinc/react reference, and see the Building Frontends guide for more examples.

Calling Global Actions 

Shopify app frontends can call your backend's Global Actions with the useGlobalAction hook. See the Building Frontends guide for more information.

Calling HTTP routes 

Shopify app frontends can call your backend's HTTP Routes with api.fetch, or any other HTTP client for React. See the Building Frontends guide for more information.

If your HTTP routes require authentication, or need to access the connections object server side, you must ensure you pass the correct authentication headers to your HTTP route from your frontend. You can do this automatically by using api.fetch instead of the built-in browser fetch.

For more information, see the Building Frontends guide.

Calling the Shopify API 

In Gadget, it is generally recommended to read data through Gadget's API, as Gadget's API does not impose the same access restrictions as Shopify's API. Unlike Shopify's API, your Gadget app's API is not rate-limited, allowing you to fetch data without the need for meticulous request management.

However, if you require access to data that your Gadget app doesn't sync or if you need to retrieve data that Gadget doesn't have direct access to, you can utilize Shopify's API directly.

To make requests to Shopify's Admin API, it is best to initiate the calls from the backend of your Gadget app's API. This involves making a request from your frontend application to your Gadget backend, which in turn makes the necessary calls to Shopify's API. The results are then returned from your Gadget backend to your frontend application.

Calling Shopify within actions 

Code within a model actions or global actions can make API calls to Shopify using the connections.shopify.current Shopify API client Gadget provides.

For example, if we want to create a product from the frontend of our Gadget application, we can create an global action that calls the Shopify API:

First, we create a new Global Action called createProduct within the Global Actions section of the Gadget editor.

View of the global actions editor with a freshly created Global Action

Then, we can add the following code to the global action:

globalAction/createProduct/onCreateProduct.js
JavaScript
1export async function run({ scope, logger, params, connections }) {
2 const shopify = connections.shopify.current;
3 const product = await shopify.product.create({
4 title: "test 123",
5 });
6 logger.info({ product }, "created new product in shopify");
7 scope.result = product;
8}

This action uses Gadget's connections object to access the Shopify API client, and then calls the product.create method to create a new product in Shopify.

We can then call this global action from our Shopify frontend with the useGlobalAction React hook. For example, we can call this action when a button is clicked in the app:

frontend/components/CreateProductButton.js
jsx
1import { useGlobalAction } from "@gadgetinc/react";
2import { api } from "../api";
3
4export const CreateProductButton = (props) => {
5 const [{ data, fetching, error }, act] = useGlobalAction(api.createProduct);
6
7 return (
8 <button disabled={fetching} onClick={() => void act()}>
9 Create Product
10 </button>
11 );
12};

Gadget's synced Shopify models are one-way synced out of Shopify. You can't call the api.shopifyProduct.create action from the frontend to create a product, as that would put your Gadget app out of sync with Shopify. You must use the Shopify API to create resources that Shopify owns.

Calling Shopify in HTTP Routes 

Route code within HTTP Routes can access the Shopify API using request.connections.shopify to create a Shopify API client object, similarly to Actions or Global Actions.

For example, an HTTP route could return an up-to-date list of products from the Shopify API:

JavaScript
1module.exports = async (request, reply) => {
2 const shopify = request.connections.shopify.current;
3 const products = await shopify.product.list();
4 reply.send({
5 products,
6 });
7};

If you're accessing the connections object server side, you must ensure you pass the correct authentication headers to your HTTP route from your frontend. You can do this automatically by using api.fetch in the browser instead of the built-in browser fetch.

For more information, see the Building Frontends guide.

Standalone Shopify Apps 

With a standalone Shopify app, you'll need to handle authentication and tenancy yourself as there is no Shopify session token to derive this from.

If your Shopify app is not an embedded app, you can still use the Gadget frontends to build your app. To do so, you will need to set the type prop on GadgetProvider to AppType.Standalone.

frontend/App.jsx
jsx
<GadgetProvider type={AppType.Standalone} shopifyApiKey={window.gadgetConfig.apiKeys.shopify} api={api} router={appBridgeRouter}>
<AuthenticatedApp />
</GadgetProvider>

Next is to update your routes/shopify/GET-install.js route file to redirect users back to your frontend instead of the Shopify admin.

routes/shopify/GET-install.js
JavaScript
1// replace the following
2// if (embedded) {
3// return await reply.redirect("/?" + new URLSearchParams(query).toString());
4// } else {
5// const host = Buffer.from(base64Host, 'base64').toString('ascii');
6// return await reply.redirect(`https://${host}/apps/${apiKey}`);
7// }
8
9return await reply.redirect("/");

This will ensure that once a shop install has completed users will be redirected to your frontend.

Shopify frontend security requirements 

Shopify requires app developers to meet a set of important security requirements when building embedded apps. Gadget meets each security requirement out of the box:

  • Gadget apps are always served over HTTPS
  • Gadget apps run behind a production-grade firewall and only expose the necessary services
  • Gadget apps use robust, multi-tenant authentication that limits access to data to the current shop (see the access control guide)
  • Gadget sets up GDPR webhook listeners automatically for Shopify apps (see the GDPR docs)
  • Gadget uses Shopfiy's Session Token authentication mechanism for authenticating the frontend to the backend.
  • Gadget automatically sets the Content-Security-Policy header necessary for Shopify's IFrame protection when serving Shopify apps (see Shopify's security docs)

If you have any questions about the security posture of Gadget applications for Shopify, please join us in our Discord to discuss!

Reference 

The Provider 

The @gadgetinc/react-shopify-app-bridge library handles authentication of your embedded app via the Provider component. This provider has two main benefits - it handles authentication and the series of redirects required to complete an embedded app OAuth flow in Shopify, and it handles retrieving a Shopify session token from the App Bridge and passing it along to Gadget for authenticated calls.

The Provider handles these key tasks automatically:

  • Starts the OAuth process with new users of the application using Gadget, escaping Shopify's iframe if necessary
  • Establishes an iframe-safe secure session with the Gadget backend using Shopify's Session Token authentication scheme
  • Sets up the correct React context for making backend calls to Gadget using @gadgetinc/react

The Provider has the following required props:

Provider Interface
TypeScript
export interface ProviderProps {
type: AppType; // 'AppType.Embedded' or 'AppType.Standalone'
shopifyApiKey: string; // the API key from your Shopify app in the partner dashboard that is used with the Shopify App Bridge
api: string; // the API client created using your Gadget application
}

The Gadget provider will handle detecting if your app is being rendered in an embedded context and redirect the user through Shopify's OAuth flow if necessary.

The useGadget React hook 

The Provider handles initializing the App Bridge for us. Now we can build our application component and use the initialized instance of App Bridge via the appBridge key returned from the embedded React hook useGadget.

useGadget provides the following properties:

useGadget React Hook
TypeScript
1export interface useGadget {
2 isAuthenticated: boolean; // 'true' if the user has completed a successful OAuth flow
3 isEmbedded: boolean; // 'true' if the app is running in an embedded context
4 isRootFrameRequest: boolean; // 'true' if a user is viewing a "type: AppType.Embedded" app in a non-embedded context, for example, accessing the app at a hosted Vercel domain
5 loading: boolean; // 'true' if the OAuth flow is in process
6 appBridge: AppBridge; // a ready-to-use app bridge from Shopify, you can also use the traditional useAppBridge hook in your components to retrieve it.
7}

useGadget example 

The following example renders a ProductManager component that makes use of Shopify App Bridge components and is ready to be embedded in a Shopify Admin page.

productManager.tsx
JavaScript
1import { useAction, useFindMany } from "@gadgetinc/react";
2import { useGadget } from "@gadgetinc/react-shopify-app-bridge";
3import { Button, Redirect, TitleBar } from "@shopify/app-bridge/actions";
4import { api } from "./api.ts";
5
6function ProductManager() {
7 const { loading, appBridge, isRootFrameRequest } = useGadget();
8 const [_, deleteProduct] = useAction(api.shopifyProduct.delete);
9 const [{ data, fetching, error }, refresh] = useFindMany(api.shopifyProduct);
10
11 if (error) return <>Error: {error.toString()}</>;
12 if (fetching) return <>Fetching...</>;
13 if (!data) return <>No widgets found</>;
14
15 // Set up a title bar for the embedded app
16 const breadcrumb = Button.create(appBridge, { label: "My breadcrumb" });
17 breadcrumb.subscribe(Button.Action.CLICK, () => {
18 appBridge.dispatch(Redirect.toApp({ path: "/breadcrumb-link" }));
19 });
20
21 const titleBarOptions = {
22 title: "My page title",
23 breadcrumbs: breadcrumb,
24 };
25 TitleBar.create(appBridge, titleBarOptions);
26
27 return (
28 <>
29 {loading && <span>Loading...</span>}
30 {isRootFrameRequest && (
31 <span>App can only be viewed in the Shopify Admin!</span>
32 )}
33 {!loading &&
34 !isRootFrameRequest &&
35 data.map((widget, i) => (
36 <button
37 key={i}
38 onClick={(event) => {
39 event.preventDefault();
40 void deleteProduct({ id: widget.id }).then(() => refresh());
41 }}
42 >
43 Delete {widget.title}
44 </button>
45 ))}
46 </>
47 );
48}

GraphQL queries 

When developing embedded Shopify apps, it is possible that the installed scopes of a Shop may not align with the required scopes in your Gadget app's connection. In such cases, it becomes necessary to re-authenticate with Shopify in order to obtain the updated scopes. To determine if re-authentication is required and gather information about missing scopes, you can execute the following GraphQL query using the app client provided to the Provider:

productManager.tsx
GraphQL
1query {
2 shopifyConnection {
3 requiresReauthentication
4 missingScopes
5 }
6}

Session model management 

The Shopify Connection in Gadget automatically manages records of the backend Session model when using @gadgetinc/react-shopify-app-bridge. When a merchant first loads up the frontend application, the <Provider/> will retrieve a Shopify Session Token from Shopify's API, and pass it to your Gadget backend application. The Gadget Shopify Connection will then validate this token. If valid, the connection will provision a new record of the Session model with the correct shopId field set up. This session is then passed to all your backend application's model filters and is available within Action code snippets.

Embedded app examples 

Want to see an example of an embedded Shopify app built using Gadget?

Check out some of our example apps on GitHub, including:

External Frontends with the Shopify CLI 

If the built-in Gadget frontend doesn't work for you, you can use the frontend generated by the Shopify CLI as an external frontend for your Gadget backend application. This lets you still take advantage of Gadget's OAuth handling, scalable backend database, and robust webhook processing while using the frontend generated by the Shopify CLI.

Using the Shopify CLI frontend 

To use Shopify's generated frontend as an external frontend, you will need to make a few changes to the code generated by the Shopify CLI. Instead of deleting the web folder from your repository after generating a CLI app, keep it in place, and follow these steps:

  • Update web/index.js to not implement Shopify OAuth, as Gadget handles OAuth and syncing data from the Shopify API. Instead, web/index.js just needs to serve the frontend application with the correct security headers for Shopify.

Replace the contents of web/index.js with the following:

web/index.js
JavaScript
1// @ts-check
2import { join } from "path";
3import * as fs from "fs";
4import express from "express";
5import serveStatic from "serve-static";
6
7const __dirname = new URL(".", import.meta.url).pathname;
8
9const PORT = parseInt(process.env["BACKEND_PORT"] || process.env["PORT"], 10);
10const STATIC_PATH =
11 process.env["NODE_ENV"] === "production"
12 ? `${__dirname}/frontend/dist`
13 : `${__dirname}/frontend/`;
14
15const app = express();
16
17// return Shopify's required iframe embedding headers for all requests
18app.use((req, res, next) => {
19 const shop = req.query.shop;
20 if (shop) {
21 res.setHeader(
22 "Content-Security-Policy",
23 `frame-ancestors https://${shop} https://admin.shopify.com;`
24 );
25 }
26 next();
27});
28
29// serve any static assets built by vite in the frontend folder
30app.use(serveStatic(STATIC_PATH, { index: false }));
31
32// serve the client side app for all routes, allowing it to pick which page to render
33app.use("/*", async (_req, res, _next) => {
34 return res
35 .status(200)
36 .set("Content-Type", "text/html")
37 .send(fs.readFileSync(join(STATIC_PATH, "index.html")));
38});
39
40app.listen(PORT);
  • You can then delete the other example code that @shopify/cli created in the web/ directory when it created your app if you like by running the following command in your app's root directory
Shell
rm -f web/shopify.js web/product-creator.js web/gdpr.js

Finally, we can set up our Gadget Client and use the Provider to handle OAuth for our embedded app.

You need to install your Gadget dependencies in the web/frontend directory of your Shopify CLI application! Change into this directory before running the following commands:

Shell
cd web/frontend
  • Install local-ssl-proxy in the web/frontend directory
web/frontend
npm install local-ssl-proxy
yarn add local-ssl-proxy
  • Update the dev script in web/frontend/package.json to vite & local-ssl-proxy --source 443 --target 3005.
web/frontend/package.json
json
1{
2 // ...
3 "scripts": {
4 "build": "vite build",
5 "dev": "vite & local-ssl-proxy --source 443 --target 3005",
6 "coverage": "vitest run --coverage"
7 }
8}
Working with Windows?

If you are working with Windows, the dev command above will not work. You will need to split it up into two separate commands and run them separately. For example, "dev": "vite" and "dev-proxy": "local-ssl-proxy --source 443 --target 3005".

This allows us to use our local frontend when doing development inside Shopify's admin, which uses HTTPS.

  • Replace your web/frontend/vite.config file with the following code:
web/frontend/vite.config.js
JavaScript
1import { defineConfig } from "vite";
2import { dirname } from "path";
3import { fileURLToPath } from "url";
4import react from "@vitejs/plugin-react";
5
6if (
7 process.env["npm_lifecycle_event"] === "build" &&
8 !process.env["CI"] &&
9 !process.env["SHOPIFY_API_KEY"]
10) {
11 console.warn(
12 "\nBuilding the frontend app without an API key. The frontend build will not run without an API key. Set the SHOPIFY_API_KEY environment variable when running the build command.\n"
13 );
14}
15
16const host = "localhost";
17const port = 3005;
18
19export default defineConfig({
20 root: dirname(fileURLToPath(import.meta.url)),
21 plugins: [react()],
22 define: {
23 "process.env": JSON.stringify({
24 SHOPIFY_API_KEY: process.env["SHOPIFY_API_KEY"],
25 }),
26 },
27 resolve: {
28 preserveSymlinks: true,
29 },
30 server: {
31 host: host,
32 port: port,
33 hmr: {
34 protocol: "ws",
35 host: host,
36 port: port,
37 clientPort: port,
38 },
39 },
40});
Changing the port

If you wish to change the port for your local server, make sure to modify both the port variable in web/frontend/vite.config and the target at the end of the dev script in the web/frontend/package.json. Note that the ports must be the same for the proxy to function correctly.

Shopify CLI apps using Gadget don't need to use ngrok and instead run at https://localhost. This vite config keeps vite's hot module reloading functionality working quickly without using ngrok which is faster and more reliable.

  • You need to register the Gadget NPM registry for the @gadget-client package scope:
web/frontend
Shell
npm config set @gadget-client:registry https://registry.gadget.dev/npm
  • The following npm modules are required when creating an app that will be embedded in the Shopify Admin:
web/frontend
npm install @gadgetinc/react @gadgetinc/react-shopify-app-bridge @gadget-client/example-app
yarn add @gadgetinc/react @gadgetinc/react-shopify-app-bridge @gadget-client/example-app

Make sure to replace `example-app` with your app's package name!

  • To deploy your frontend using hosting platforms such as Vercel, Heroku or Netlify, you will need to add a new file web/frontend/.npmrc to help point to the Gadget registry.
web/frontend/.npmrc
@gadget-client:registry=https://registry.gadget.dev/npm
  • The next step is to set up your Gadget client in the application. You can use this client to make requests to your Gadget application. You can create a new file in your project, and add the following code:
web/frontend/api.js
JavaScript
import { Client } from "@gadget-client/example-app";
export const api = new Client();
  • Now you need to set up the Provider in web/frontend/App.jsx. We can also use the useGadget hook to ensure we are authenticated before we make requests using the API. Here is a small snippet as an example:
web/frontend/App.jsx
JavaScript
1import {
2 AppType,
3 Provider as GadgetProvider,
4 useGadget,
5} from "@gadgetinc/react-shopify-app-bridge";
6import { api } from "./api";
7
8import { PolarisProvider } from "./components";
9
10/**
11 Gadget's Provider takes care of App Bridge authentication, you do not need Shopify's default AppBridgeProvider.
12*/
13export default function App() {
14 return (
15 <GadgetProvider
16 type={AppType.Embedded}
17 shopifyApiKey={process.env["SHOPIFY_API_KEY"]}
18 api={api}
19 >
20 <PolarisProvider>
21 <EmbeddedApp />
22 </PolarisProvider>
23 </GadgetProvider>
24 );
25}
26
27// This is where we make sure we have auth'd with AppBridge
28// Once we have authenticated, we can render our app!
29// Feel free to use the default page navigation that Shopify's CLI sets up for you
30// example here - https://github.com/gadget-inc/examples/blob/main/packages/shopify-cli-embedded/web/frontend/App.jsx
31function EmbeddedApp() {
32 // we use `isAuthenticated` to render pages once the OAuth flow is complete!
33 const { isAuthenticated } = useGadget();
34 return isAuthenticated ? (
35 <span>Hello, world!</span>
36 ) : (
37 <span>Authenticating...</span>
38 );
39}

If you are looking for examples of how to use our API client, visit our examples repository.

Next steps 

Once you've updated your Shopify CLI web folder to function as an external frontend, you can start building your app! See the Shopify connection guide for more information on building apps for Shopify with Gadget.

Deployment 

If using the Shopify CLI's web folder as the frontend for your application, you'll need to deploy it to a hosting platform. See the External Frontends guide for more information on deploying your frontend elsewhere.