Admin UI extensions session tokens are inconsistent with other UI extensions libraries

[patryk-smc]

Hey, I have been working on Admin UI extensions for the last couple of days and found some inconsistencies with other parts of Shopify which I found a bit frustrating.

Documentation says:

Source: https://shopify.dev/docs/api/admin-extensions/2024-07#app-authentication

This means, that I can only send authenticated requests to my app domain or its subdomains.

The main problem here: If my app domain is app.myapp.com, I cannot make requests to api.myapp.com because this is not a subdomain of app.myapp.com

How this is solved in other parts of Shopify

Checkout UI Extensions and Customer UI Extensions

give us useSessionToken() hook which returns a token that can be used anywhere in the app, without any domain restrictions.

Source:

• https://shopify.dev/docs/api/checkout-ui-extensions/unstable/apis/session-token
• https://shopify.dev/docs/api/customer-account-ui-extensions/unstable/apis/session-token

App Bridge Library

automatically injects an Authorization header to all requests made to the app URL, similar to Admin UI extensions, however:

• Additional domains can be added with "appOrigins" option
• Automatic addition of Authorization header can be disabled with "disabledFeatures" option
• Token can be also fetched manually, using shopify.idToken()

---

I wanted to suggest either adopting an approach from other UI Extensions or the App Bridge Library. Thank you!

[jplhomer]

@patryk-smc OK I did some digging. Turns out, we do have a utility for this:

const {auth} = useApi(TARGET);

const token = await auth.sessionToken.get();

I'm working on adding this to types and documentation now 👍

[patryk-smc]

Oh well, I did not expect that! Sweet thank you!