Client-App backend communication
Direct communication from the browser to the app backend involves generating a JWT token. This token contains session-specific information, as claims, and is securely signed by the shop. This mechanism ensures a secure exchange of data between the client and the app backend.
WARNING
The JWT key can be only generated when in the browser the user is logged-in.
The Flow
The JWT token
The JWT token contains the following claims:
languageId
- the language ID of the current sessioncurrencyId
- the currency ID of the current sessioncustomerId
- the customer ID of the current sessioncountryId
- the country ID of the current sessionsalesChannelId
- the sales channel ID of the current session
The claims are only set when the app has permission to that specific entity like sales_channel:read
for salesChannelId
claim.
The JWT token is signed with SHA256-HMAC
and the secret is the appSecret
from the app registration and the issued by
is the shopId also from the registration.
Generate JWT key
The JWT key is generated with a POST request against /store-api/app-system/{name}/generate-token
or /app-system/{name}/generate-token
.
INFO
Requesting from the browser to the app backend is only possible when your app backend allows CORS requests. Example:
- Access-Control-Allow-Origin: *
- Access-Control-Allow-Methods: GET, POST, OPTIONS
- Access-Control-Allow-Headers: shopware-app-shop-id, shopware-app-token