Client-App backend communication
Direct communication from the browser to the app backend involves generating a JWT token. This token contains session-specific information, as claims, and is securely signed by the shop. This mechanism ensures a secure exchange of data between the client and the app backend.
The JWT key can be only generated when in the browser the user is logged-in.
The JWT token
The JWT token contains the following claims:
languageId- the language ID of the current session
currencyId- the currency ID of the current session
customerId- the customer ID of the current session
countryId- the country ID of the current session
salesChannelId- the sales channel ID of the current session
The claims are only set when the app has permission to that specific entity like
The JWT token is signed with
SHA256-HMAC and the secret is the
appSecret from the app registration and the
issued by is the shopId also from the registration.
Generate JWT key
The JWT key is generated with a POST request against
Requesting from the browser to the app backend is only possible when your app backend allows CORS requests. Example:
- Access-Control-Allow-Origin: *
- Access-Control-Allow-Methods: GET, POST, OPTIONS
- Access-Control-Allow-Headers: shopware-app-shop-id, shopware-app-token