Client-App backend communication ​
Direct communication from the browser to the app backend involves generating a JWT token. This token contains session-specific information, as claims, and is securely signed by the shop. This mechanism ensures a secure exchange of data between the client and the app backend.
WARNING
The JWT key can be only generated when in the browser the user is logged-in.
The Flow ​
The JWT token ​
The JWT token contains the following claims:
languageId
- the language ID of the current sessioncurrencyId
- the currency ID of the current sessioncustomerId
- the customer ID of the current sessioncountryId
- the country ID of the current sessionsalesChannelId
- the sales channel ID of the current session
The claims are only set when the app has permission to that specific entity like sales_channel:read
for salesChannelId
claim.
The JWT token is signed with SHA256-HMAC
and the secret is the appSecret
from the app registration and the issued by
is the shopId also from the registration.
Generate JWT key ​
The JWT key is generated with a POST request against /store-api/app-system/{name}/generate-token
or /app-system/{name}/generate-token
.
INFO
Requesting from the browser to the app backend is only possible when your app backend allows CORS requests. Example:
- Access-Control-Allow-Origin: *
- Access-Control-Allow-Methods: GET, POST, OPTIONS
- Access-Control-Allow-Headers: shopware-app-shop-id, shopware-app-token