Skip to content

Client-App backend communication

Client-App backend communication

Direct communication from the browser to the app backend involves generating a JWT token. This token contains session-specific information, as claims, and is securely signed by the shop. This mechanism ensures a secure exchange of data between the client and the app backend.


The JWT key can be only generated when in the browser the user is logged-in.

The Flow


The JWT token

The JWT token contains the following claims:

  • languageId - the language ID of the current session
  • currencyId - the currency ID of the current session
  • customerId - the customer ID of the current session
  • countryId - the country ID of the current session
  • salesChannelId - the sales channel ID of the current session

The claims are only set when the app has permission to that specific entity like sales_channel:read for salesChannelId claim.

The JWT token is signed with SHA256-HMAC and the secret is the appSecret from the app registration and the issued by is the shopId also from the registration.

Generate JWT key

The JWT key is generated with a POST request against /store-api/app-system/{name}/generate-token or /app-system/{name}/generate-token.


Requesting from the browser to the app backend is only possible when your app backend allows CORS requests. Example:

  • Access-Control-Allow-Origin: *
  • Access-Control-Allow-Methods: GET, POST, OPTIONS
  • Access-Control-Allow-Headers: shopware-app-shop-id, shopware-app-token

Validate the JWT token