Skip to content

Client-App backend communication

Client-App backend communication ​

Direct communication from the browser to the app backend involves generating a JWT token. This token contains session-specific information, as claims, and is securely signed by the shop. This mechanism ensures a secure exchange of data between the client and the app backend.

WARNING

The JWT key can be only generated when in the browser the user is logged-in.

The Flow ​

null

The JWT token ​

The JWT token contains the following claims:

  • languageId - the language ID of the current session
  • currencyId - the currency ID of the current session
  • customerId - the customer ID of the current session
  • countryId - the country ID of the current session
  • salesChannelId - the sales channel ID of the current session

The claims are only set when the app has permission to that specific entity like sales_channel:read for salesChannelId claim.

The JWT token is signed with SHA256-HMAC and the secret is the appSecret from the app registration and the issued by is the shopId also from the registration.

Generate JWT key ​

The JWT key is generated with a POST request against /store-api/app-system/{name}/generate-token or /app-system/{name}/generate-token.

INFO

Requesting from the browser to the app backend is only possible when your app backend allows CORS requests. Example:

  • Access-Control-Allow-Origin: *
  • Access-Control-Allow-Methods: GET, POST, OPTIONS
  • Access-Control-Allow-Headers: shopware-app-shop-id, shopware-app-token

Validate the JWT token ​