The Shopify app ecosystem generates billions of dollars in annual revenue for developers. There are over 2 million merchants on the platform, many of them actively looking for apps that solve specific problems. Building a Shopify app is one of the more accessible paths to recurring SaaS revenue because you get a built in distribution channel and a customer base that already has their credit card on file.
But the Shopify platform has specific technical requirements, design constraints, and review processes that trip up teams who approach it like any other web application. We have built multiple Shopify apps and integrations for clients, and the difference between a smooth launch and a painful one almost always comes down to understanding the platform before you start coding.
Understanding the Shopify App Architecture
Shopify apps come in two main types: embedded apps and standalone apps. As of 2024, Shopify strongly favors embedded apps that run inside the Shopify admin using their App Bridge library. Unless you have a specific reason not to, build an embedded app.
An embedded app loads inside an iframe in the Shopify admin panel. The merchant never leaves Shopify. Your app communicates with the Shopify admin through App Bridge, which provides UI components, navigation, and authentication context. From the merchant perspective, your app feels like a native part of Shopify.
The backend of your app is a standard web server. It handles OAuth authentication with Shopify, makes API calls on behalf of the merchant, processes webhooks, and serves your embedded frontend. You can build this backend in any language, but Node.js and Ruby are the most common choices because of strong official library support.
The data flow works like this: A merchant installs your app from the Shopify App Store. Shopify redirects them through an OAuth flow that grants your app an access token for that specific store. Your backend stores this token and uses it to make API calls to the merchant store, reading products, orders, customers, or whatever data your app needs. Your frontend loads inside the Shopify admin and communicates with your backend.
Authentication and OAuth
Shopify uses OAuth 2.0 for app authentication, but with some platform specific nuances. The flow starts when a merchant clicks "Install" on your app listing. Shopify redirects to your app with a shop parameter and a temporary code. Your backend exchanges that code for a permanent access token and stores it.
Session tokens are the modern approach for embedded apps. Instead of cookie based sessions, your embedded frontend gets a session token from App Bridge and sends it with every request to your backend. Your backend validates this token to confirm the request is coming from a legitimate Shopify admin session. This avoids the third party cookie issues that plague iframe based authentication.
The critical security requirement: always validate the HMAC signature on incoming requests from Shopify. Every redirect and webhook from Shopify includes an HMAC parameter signed with your app secret. Verify it. Skipping this step is a security vulnerability that will get your app rejected during review.
Working with the Shopify API
Shopify offers both REST and GraphQL APIs. Their direction is clearly toward GraphQL, and new features often land in GraphQL first. For new apps, we recommend GraphQL as your primary API with REST as a fallback for specific operations that are simpler over REST.
The GraphQL API has a significant advantage for performance: you can fetch exactly the data you need in a single request instead of making multiple REST calls and getting back fields you do not use. For an app that displays product data alongside order data, one GraphQL query replaces what would be three or four REST API calls.
Rate limiting is a real concern. Shopify uses a bucket based rate limiting system. REST APIs give you 40 requests per second with a bucket that refills at 2 per second. GraphQL uses a cost based system where each query has a calculated cost based on complexity. Monitor your usage and implement exponential backoff. Apps that hit rate limits consistently get flagged during review.
For an in depth look at API design patterns that apply to Shopify integrations and beyond, see our API design best practices guide.
Webhooks are essential. Do not poll for changes. Register webhooks for the events your app cares about: orders created, products updated, app uninstalled, and so on. Shopify delivers webhooks as HTTP POST requests to your endpoint. Process them asynchronously. Acknowledge the webhook with a 200 response immediately, then handle the business logic in a background job. Shopify will retry failed webhooks, but if your endpoint is slow to respond, deliveries start getting delayed.
Building the Frontend with Polaris
Shopify provides Polaris, their React component library, for building app UIs. Using Polaris is not technically required, but it is effectively mandatory if you want your app to look and feel native inside the Shopify admin. The app review team will flag apps with UIs that do not match the Shopify design language.
Polaris gives you components for tables, forms, cards, modals, navigation, and more. The components are well documented and cover most common UI patterns. Where Polaris falls short is on complex, custom visualizations. For charts, drag and drop interfaces, or highly custom layouts, you will need to supplement Polaris with additional libraries while keeping the overall design language consistent.
App Bridge handles the communication between your embedded frontend and the Shopify admin. It provides actions for navigation, toast notifications, modals, and context bars. When a merchant clicks a link in your app, App Bridge ensures the navigation happens correctly within the Shopify admin rather than trying to navigate the iframe.
Data Storage and Architecture Decisions
Your app needs its own database to store app specific data, merchant configurations, and any computed data that does not live in Shopify. Do not treat the Shopify API as your database. Fetching data from Shopify on every page load is slow and burns through your rate limits.
The common pattern is to sync relevant Shopify data into your own database using webhooks. When a product is created or updated in Shopify, a webhook fires, and your app updates its local copy. This gives you fast reads, lets you run analytics and aggregations locally, and reduces your API dependency.
The database schema design for a Shopify app typically includes a shops table (one row per installed merchant store, storing the access token and configuration), plus whatever domain specific tables your app needs. Always include a shopify_shop_id column as a foreign key on merchant specific data, and index it because every query will filter by shop.
Billing and Monetization
Shopify provides a built in billing API that handles subscriptions, one time charges, and usage based billing. You must use Shopify billing for apps distributed through the Shopify App Store. You cannot redirect merchants to Stripe or your own payment page.
The billing flow works like this: your app creates a charge through the Shopify API, Shopify shows the merchant a confirmation screen, the merchant approves, and Shopify handles the payment. Shopify takes a revenue share (currently 0% on the first million dollars in revenue per year for most developers, then 15% after that).
Pricing strategy matters. Study the competitive landscape in your app category before setting prices. Shopify merchants expect monthly subscriptions in the $10 to $100 range for most app categories. Usage based pricing works well for apps where value scales with merchant activity, like per order charges for shipping apps.
Offer a free plan or free trial. Merchants are reluctant to pay for an app they have not tested. A 7 to 14 day free trial is standard. A freemium model with a generous free tier can be even more effective for driving installations and reviews.
The App Review Process
Before your app goes live on the Shopify App Store, it goes through a review process. This is not a rubber stamp. Shopify reviewers test your app thoroughly and reject apps that do not meet their requirements.
Common reasons for rejection: poor error handling (your app crashes or shows blank screens when API calls fail), missing uninstall cleanup (your app does not handle the app/uninstalled webhook), privacy violations (accessing scopes you do not need or not having a privacy policy), and UI inconsistencies (not using Polaris or deviating significantly from Shopify design patterns).
Plan for at least one round of revisions after your initial submission. The review process typically takes 5 to 10 business days, and most apps get feedback requesting changes on the first submission.
Scaling Considerations
If your app gets traction, you will quickly go from handling 10 merchants to 10,000. The architecture decisions you make early determine how painful this scaling is.
Multi tenant architecture is the standard approach. All merchants share the same application infrastructure, with data isolation at the database level (every query filtered by shop ID). This is dramatically more cost effective than running separate instances per merchant.
Background job processing is critical. Webhook processing, data syncs, report generation, and bulk operations should all happen in background workers. A webhook that takes 10 seconds to process synchronously will cause delivery timeouts when you have thousands of merchants generating events simultaneously.
For teams weighing whether to build a Shopify app or a standalone ecommerce solution, our custom ecommerce versus Shopify comparison covers the strategic tradeoffs in detail.
Getting Started
A Shopify app is a real SaaS product with real infrastructure requirements. You need authentication, database management, webhook processing, background jobs, a polished UI, billing integration, and the ability to handle multi tenant scale. Treating it as a side project or weekend hack leads to a poor merchant experience and bad reviews.
If you have an app concept and want to build it on a solid foundation, talk to us. We have shipped Shopify integrations and can help you move from idea to app store listing with an architecture that scales.