Integration guide

Shopify app

Backend-native OAuth + webhook receiver that can tag (and optionally act on) risky orders.

Repo location

integrations/shopify

The app integration is implemented in the backend under /api/v1/shopify. It verifies webhook signatures and stores per-shop access tokens in Postgres (table: shopify_stores).

Configure environment

  • SHOPIFY_API_KEY and SHOPIFY_API_SECRET
  • SHOPIFY_SCOPES (comma-separated)
  • API_URL public URL Shopify can reach (for OAuth + webhooks)

Install flow (OAuth)

Start an install by requesting the install URL:

curl -sS "https://predax.io/api/v1/shopify/install?shop=YOURSHOP.myshopify.com"

Open the returned install_url in a browser to complete OAuth. On success, the backend stores the access token and registers the orders/create webhook.

Webhook receiver

Shopify will POST order events to the webhook endpoint. The backend verifies the Shopify HMAC signature before processing.

POST /api/v1/shopify/webhooks/orders-create

Typical behavior: compute risk for the customer IP (best-effort), tag the order for manual review, and optionally take stricter action depending on store settings.

Admin management (optional)

Manage connected shops and settings via admin endpoints (JWT/admin auth).

GET /api/v1/admin/shopify/storesPATCH /api/v1/admin/shopify/stores