The Shopify API gem allows Ruby developers to programmatically access the admin section of Shopify stores.
The API is implemented as JSON over HTTP using all four verbs (GET/POST/PUT/DELETE). Each resource, like Order, Product, or Collection, has its own URL and is manipulated in isolation. In other words, we’ve tried to make the API follow the REST principles as much as possible.
ApiVersion was introduced in Version 7.0.0 and known versions were hard coded into the gem. Manually defining api versions is no longer required for versions not listed in the gem. Version 8.0.0 removes the following:
ShopifyAPI::ApiVersion::Unstable
ShopifyAPI::ApiVersion::Release
ShopifyAPI::ApiVersion.define_version
The following methods on ApiVersion
have been deprecated:
.coerce_to_version
deprecated. use.find_version
.define_known_versions
deprecated. Use.fetch_known_versions
.clear_defined_versions
deprecated. Use..clear_known_versions
.latest_stable_version
deprecated. UseShopifyAPI::Meta.admin_versions.find(&:latest_supported)
(this fetches info from Shopify servers. No authentication required.)#name
deprecated. Use#handle
#stable?
deprecated. Use#supported?
Version 8.0.0 introduces a version lookup mode. By default, ShopifyAPI::ApiVersion.version_lookup_mode
is :define_on_unknown
. When setting the api_version on Session
or Base
, the api_version
attribute takes a version handle (ie '2019-07'
or :unstable
) and sets an instance of ShopifyAPI::ApiVersion
matching the handle. When the version_lookup_mode is set to :define_on_unknown
, any handle will naïvely create a new ApiVersion
if the version is not in the known versions returned by ShopifyAPI::ApiVersion.versions
.
To ensure only known and active versions can be set, call
ShopifyAPI::ApiVersion.version_lookup_mode = :raise_on_unknown
ShopifyAPI::ApiVersion.fetch_known_versions
Known and active versions are fetched from https://app.shopify.com/services/apis.json and cached. Trying to use a version outside this cached set will raise an error. To switch back to naïve lookup and create a version if its not found, call ShopifyAPI::ApiVersion.version_lookup_mode = :define_on_unknown
.
Session creation requires api_version
to be set and now uses keyword arguments
To upgrade your use of ShopifyAPI you will need to make the following changes.
ShopifyAPI::Session.new(domain, token, extras)
is now
ShopifyAPI::Session.new(domain: domain, token: token, api_version: api_version, extras: extras)
Note extras
is still optional the other arguments are required.
ShopifyAPI::Session.temp(domain, token, extras) do
...
end
is now
ShopifyAPI::Session.temp(domain: domain, token: token, api_version: api_version) do
...
end
For example if you want to use the 2019-04
version you would create a session like this:
session = ShopifyAPI::Session.new(domain: domain, token: token, api_version: '2019-04')
if you want to use the unstable
version you would create a session like this:
session = ShopifyAPI::Session.new(domain: domain, token: token, api_version: :unstable)
If you have defined or customized Resources, classes that extend ShopifyAPI::Base
:
The use of self.prefix =
has been deprecated you should now use self.resource =
and not include /admin
.
For example if you specified a prefix like this before:
class MyResource < ShopifyAPI::Base
self.prefix = '/admin/shop/'
end
You will update this to:
class MyResource < ShopifyAPI::Base
self.resource_prefix = 'shop/'
end
If you have specifed any full paths for API calls in find
def self.current(options={})
find(:one, options.merge(from: "/admin/shop.#{format.extension}"))
end
would be changed to
def self.current(options = {})
find(:one, options.merge(
from: api_version.construct_api_path("shop.#{format.extension}")
))
end
- OAuth URLs for
authorize
, getting theaccess_token
from a code,access_scopes
, and using arefresh_token
have not changed.- get:
/admin/oauth/authorize
- post:
/admin/oauth/access_token
- get:
/admin/oauth/access_scopes
- get:
- URLs for the merchant’s web admin have not changed. For example: to send the merchant to the product page the url is still
/admin/product/<id>
All API usage happens through Shopify applications, created by either shop owners for their own shops, or by Shopify Partners for use by other shop owners:
- Shop owners can create applications for themselves through their own admin: https://docs.shopify.com/api/authentication/creating-a-private-app
- Shopify Partners create applications through their admin: http://app.shopify.com/services/partners
For more information and detailed documentation about the API visit https://developers.shopify.com/
This gem requires Ruby 2.4 as of version 7.0.
Add shopify_api
to your Gemfile
:
gem 'shopify_api'
Or install via gem
gem install shopify_api
ShopifyAPI uses ActiveResource to communicate with the REST web service. ActiveResource has to be configured with a fully authorized URL of a particular store first. To obtain that URL you can follow these steps:
-
First create a new application in either the partners admin or your store admin. For a private App you'll need the API_KEY and the PASSWORD otherwise you'll need the API_KEY and SHARED_SECRET.
If you're not sure how to create a new application in the partner/store admin and/or if you're not sure how to generate the required credentials, you can read the related shopify docs on the same.
-
For a private App you just need to set the base site url as follows:
shop_url = "https://#{API_KEY}:#{PASSWORD}@#{SHOP_NAME}.myshopify.com" ShopifyAPI::Base.site = shop_url ShopifyAPI::Base.api_version = '<version_name>' # find the latest stable api_version [here](https://help.shopify.com/api/versioning)
That's it, you're done, skip to step 6 and start using the API!
For a partner app you will need to supply two parameters to the Session class before you instantiate it:
ShopifyAPI::Session.setup(api_key: API_KEY, secret: SHARED_SECRET)
Shopify maintains
omniauth-shopify-oauth2
which securely wraps the OAuth flow and interactions with Shopify (steps 3 and 4 above). Using this gem is the recommended way to use OAuth authentication in your application. -
In order to access a shop's data, apps need an access token from that specific shop. This is a two-stage process. Before interacting with a shop for the first time an app should redirect the user to the following URL:
GET https://SHOP_NAME.myshopify.com/admin/oauth/authorize
with the following parameters:
client_id
– Required – The API key for your appscope
– Required – The list of required scopes (explained here: https://help.shopify.com/api/guides/authentication/oauth#scopes)redirect_uri
– Required – The URL where you want to redirect the users after they authorize the client. The complete URL specified here must be identical to one of the Application Redirect URLs set in the App's section of the Partners dashboard. Note: in older applications, this parameter was optional, and redirected to the Application Callback URL when no other value was specified.state
– Optional – A randomly selected value provided by your application, which is unique for each authorization request. During the OAuth callback phase, your application must check that this value matches the one you provided during authorization. This mechanism is important for the security of your application.grant_options[]
- Optional - Set this parameter toper-user
to receive an access token that respects the user's permission level when making API requests (called online access). This is strongly recommended for embedded apps.
We've added the create_permission_url method to make this easier, first instantiate your session object:
shopify_session = ShopifyAPI::Session.new(domain: "SHOP_NAME.myshopify.com", api_version: api_version, token: nil)
Then call:
scope = ["write_products"] permission_url = shopify_session.create_permission_url(scope)
or if you want a custom redirect_uri:
permission_url = shopify_session.create_permission_url(scope, "https://my_redirect_uri.com")
-
Once authorized, the shop redirects the owner to the return URL of your application with a parameter named 'code'. This is a temporary token that the app can exchange for a permanent access token.
Before you proceed, make sure your application performs the following security checks. If any of the checks fails, your application must reject the request with an error, and must not proceed further.
- Ensure the provided
state
is the same one that your application provided to Shopify during Step 3. - Ensure the provided hmac is valid. The hmac is signed by Shopify as explained below, in the Verification section.
- Ensure the provided hostname parameter is a valid hostname, ends with myshopify.com, and does not contain characters other than letters (a-z), numbers (0-9), dots, and hyphens.
If all security checks pass, the authorization code can be exchanged once for a permanent access token. The exchange is made with a request to the shop.
POST https://SHOP_NAME.myshopify.com/admin/oauth/access_token
with the following parameters:
client_id
– Required – The API key for your appclient_secret
– Required – The shared secret for your appcode
– Required – The token you received in step 3
and you'll get your permanent access token back in the response.
There is a method to make the request and get the token for you. Pass all the params received from the previous call and the method will verify the params, extract the temp code and then request your token:
token = shopify_session.request_token(params)
This method will save the token to the session object and return it. All fields returned by Shopify, other than the access token itself, are stored in the session's
extra
attribute. For a list of all fields returned by Shopify, read our OAuth documentation. If you requested an access token that is associated with a specific user, you can retreive information about this user from theextra
hash:# a list of all granted scopes granted_scopes = shopify_session.extra['scope'] # a hash containing the user information user = shopify_session.extra['associated_user'] # the access scopes available to this user, which may be a subset of the access scopes granted to this app. active_scopes = shopify_session.extra['associated_user_scope'] # the time at which this token expires; this is automatically converted from 'expires_in' returned by Shopify expires_at = shopify_session.extra['expires_at']
For the security of your application, after retrieving an access token you must validate the following:
- The list of scopes in
shopify_session.extra['scope']
is the same as you requested. - If you requested an online-mode access token,
shopify_session.extra['associated_user']
must be present. Failing either of these tests means the end-user may have tampered with the url parameters during the OAuth authentication phase. You should avoid using this access token and revoke it immediately. If you use theomniauth-shopify-oauth2
gem these checks are done automatically for you.
For future sessions simply pass in the
token
andextra
hash (optional) when creating the session object:shopify_session = ShopifyAPI::Session.new(domain: "SHOP_NAME.myshopify.com", token: token, api_version: api_version, extra: extra)
- Ensure the provided
-
The session must be activated before use:
ShopifyAPI::Base.activate_session(shopify_session)
-
Now you're ready to make authorized API requests to your shop! Data is returned as ActiveResource instances:
shop = ShopifyAPI::Shop.current # Get a specific product product = ShopifyAPI::Product.find(179761209) # Create a new product new_product = ShopifyAPI::Product.new new_product.title = "Burton Custom Freestlye 151" new_product.product_type = "Snowboard" new_product.vendor = "Burton" new_product.save # Update a product product.handle = "burton-snowboard" product.save
Alternatively, you can use #temp to initialize a Session and execute a command which also handles temporarily setting ActiveResource::Base.site:
products = ShopifyAPI::Session.temp(domain: "SHOP_NAME.myshopify.com", token: token, api_version: api_version) do ShopifyAPI::Product.find(:all) end
-
If you would like to run a small number of calls against a different API version you can use this block syntax:
ShopifyAPI::Session.temp(domain: "SHOP_NAME.myshopify.com", token: token, api_version: '2019-04') do ShopifyAPI::Product.find(:all) # find call against version `2019-04` ShopifyAPI::Session.with_version(:unstable) do ShopifyAPI::Product.find(:all) # find call against version `unstable` end ShopifyAPI::Product.find(:all) # find call against version `2019-04` end
-
If you want to work with another shop, you'll first need to clear the session:
ShopifyAPI::Base.clear_session
This package also supports the shopify-api
executable to make it easy to open up an interactive console to use the API with a shop.
- Install the
shopify_api_console
gem.
gem install shopify_api_console
-
Obtain a private API key and password to use with your shop (step 2 in "Getting Started")
-
Use the
shopify-api
script to save the credentials for the shop to quickly log in.shopify-api add yourshopname
Follow the prompts for the shop domain, API key and password.
-
Start the console for the connection.
shopify-api console
-
To see the full list of commands, type:
shopify-api help
This library also supports Shopify's new GraphQL API
via a dependency on the graphql-client gem.
The authentication process (steps 1-5 under Getting Started)
is identical. Once your session is activated, simply construct a new graphql
client and use parse
and query
as defined by
graphql-client.
client = ShopifyAPI::GraphQL.new
SHOP_NAME_QUERY = client.parse <<-'GRAPHQL'
{
shop {
name
}
}
GRAPHQL
result = client.query(SHOP_NAME_QUERY)
result.data.shop.name
ActiveResource is threadsafe as of version 4.1 (which works with Rails 4.x and above).
If you were previously using Shopify's activeresource fork then you should remove it and use ActiveResource 4.1.
Pagination can occur in one of two ways.
Page based pagination
page = 1
products = ShopifyAPI::Product.find(:all, params: { limit: 50, page: page })
process_products(products)
while(products.count == 50)
page += 1
products = ShopifyAPI::Product.find(:all, params: { limit: 50, page: page })
process_products(products)
end
Page based pagination will be deprecated in the 2019-10
API version, in favor of the second method of pagination:
Relative cursor based pagination
products = ShopifyAPI::Product.find(:all, params: { limit: 50 })
process_products(products)
while products.next_page?
products = products.fetch_next_page
process_products(products)
end
Relative cursor pagination is currently available for all endpoints using the 2019-10
and later API versions.
Download the source code and run:
bundle install
bundle exec rake test
or if you'd rather use docker just run:
docker run -it --name shopify_api -v "$PWD:/shopify_api" -w="/shopify_api" ruby:2.6 bundle install
docker exec -it shopify_api bash
or you can even use our automated rake task for docker:
bundle exec rake docker
Copyright (c) 2014 "Shopify Inc.". See LICENSE for details.