Skip to content

Client-App backend communication

You are viewing an outdated version of the documentation.
Click here to switch to the stable version (v6.6), or use the version switcher on the left to navigate between versions.

Client-App backend communication

Direct communication from the browser to the app backend involves generating a JSON Web Token (JWT). This token contains session-specific information, as claims, and is securely signed by the shop. This mechanism ensures a secure exchange of data between the client and the app backend.

WARNING

The JWT can be only generated when in the browser the user is logged-in.

The Flow

The JSON Web Token

The JWT contains the following claims:

  • languageId - the language ID of the current session
  • currencyId - the currency ID of the current session
  • customerId - the customer ID of the current session
  • countryId - the country ID of the current session
  • salesChannelId - the sales channel ID of the current session

The claims are only set when the app has permission to that specific entity like sales_channel:read for salesChannelId claim.

The JWT is signed with SHA256-HMAC and the secret is the appSecret from the app registration and the issued by is the shopId also from the registration.

Generate JSON Web Token

The JWT is generated with a POST request against /store-api/app-system/{name}/generate-token or /app-system/{name}/generate-token.

INFO

Requesting from the browser to the app backend is only possible when your app backend allows CORS requests. Example:

  • Access-Control-Allow-Origin: *
  • Access-Control-Allow-Methods: GET, POST, OPTIONS
  • Access-Control-Allow-Headers: shopware-app-shop-id, shopware-app-token

Validate the JSON Web Token