Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.omneo.io/llms.txt

Use this file to discover all available pages before exploring further.

The Shopify Proxy is an Omneo-provided endpoint that allows your Shopify front end (Liquid templates, custom storefronts) to make authenticated requests to Omneo without exposing a bearer token on the client side.
This guide is part of the Shopify extension. It is referenced from the Shopify extension setup.

The problem it solves

Displaying a customer’s Omneo data on your Shopify storefront requires authentication. You cannot safely include a bearer token in Liquid templates or client-side JavaScript. The Shopify Proxy handles authentication server-side using an HMAC-signed customer signature.

How it works

  1. Shopify generates a customer-specific signature using your Omneo shared secret (via Liquid’s hmac_sha256 filter)
  2. Your front end sends the customer ID and signature to the Shopify Proxy endpoint
  3. The proxy verifies the signature and returns an Omneo ID token scoped to that customer
  4. Your front end uses the token to initialise the Shapes SDK and make requests to Omneo

Getting the customer signature in Liquid

{% assign customerId = customer.id %}
{% assign customerSignature = customer.id | hmac_sha256: shop.metafields.omneo.id_secret %}

Requesting a token via the proxy

const pluginUrl = 'https://api.[tenant].getomneo.com/shopify'

const response = await fetch(`${pluginUrl}/api/v1/auth/token`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    id: customerId,
    signature: customerSignature
  })
})

const { token } = await response.json()

Initialising the Shapes SDK with the proxy token

const shapesClient = ShapesSDK.init({
  url: 'https://api.[tenant].getomneo.com/id',
  token: token,
  logging: false
})

shapesClient.hydrate('profile')
shapesClient.on('profile.update', function(data) {
  // Render profile data
})

Caching the token

Store the token in localStorage to avoid requesting a new one on every page load: 
const storageKey = `shapes:omneo:shapestoken:${customerId}`
let token = localStorage.getItem(storageKey)

if (!token) {
  // Request from proxy and store
  token = await requestToken(customerId, customerSignature)
  localStorage.setItem(storageKey, token)
}

Security notes

  • The id_secret metafield should never be exposed on the client side — it is used server-side in Liquid only
  • The proxy validates the HMAC signature before issuing a token, ensuring the request is from a legitimate Shopify session
  • Tokens are scoped to a single customer profile and cannot be used to access other profiles