> ## Documentation Index
> Fetch the complete documentation index at: https://developers.appstle.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Handle OAuth callback from Shopify

> OAuth 2.0 callback endpoint that receives the authorization code from Shopify after customer authorization. This endpoint is called automatically by Shopify after the customer authorizes the app.

**Flow:**
1. Shopify redirects customer here with authorization code and state
2. Validates state parameter to prevent CSRF
3. Exchanges authorization code for access token using PKCE verifier
4. Validates ID token (JWT) from Shopify
5. Stores access token and refresh token securely
6. Redirects customer back to original return URL

**Security:**
- Validates state parameter matches stored value
- Uses PKCE code verifier to exchange authorization code
- Validates ID token signature and claims
- State expires after 10 minutes

**Error Handling:**
- If customer denies authorization, redirects with error parameter
- If token exchange fails, redirects with error parameter
- All errors are logged for debugging

**Note:** This endpoint should not be called directly - it's invoked by Shopify's OAuth redirect.



## OpenAPI

````yaml /subscription/storefront-api-swagger.json get /subscriptions/cp/api/customer-account-api/oauth/callback
openapi: 3.0.1
info:
  description: >-
    Comprehensive API documentation for the customer-facing subscription portal.
    These APIs enable customers to manage their subscriptions, update billing
    information, modify delivery schedules, and access their account details
    through your storefront.


    **Important**: These APIs must be called from your shop's domain (e.g.,
    https://www.myshop.com/apps/subscriptions/cp/api/**) and require customer
    authentication. Unauthenticated requests will return a 401 Unauthorized
    error.
  title: Storefront APIs
  version: 0.0.1
servers:
  - url: https://www.myshop.com/apps
security: []
tags:
  - description: >-
      Core customer portal APIs for managing customer account settings,
      authentication, and portal configurations.
    name: Customer Portal
  - description: >-
      APIs for customers to view and manage their subscription contracts
      including status updates, frequency changes, and cancellations.
    name: Subscription Management
  - description: >-
      APIs for retrieving and updating subscription contract details — delivery
      schedules, line items, addresses, billing cycles.
    name: Subscription Contracts
  - description: >-
      APIs for retrieving available subscription plans and selling plan
      configurations exposed to customers.
    name: Subscription Plans
  - description: >-
      APIs for managing one-time add-on products that can be purchased alongside
      recurring subscription items.
    name: Subscription One-Time Products
  - description: >-
      APIs for retrieving aggregated subscription data and account-level
      subscription information for the signed-in customer.
    name: Subscription Data
  - description: >-
      APIs for managing customizable product boxes and bundles where customers
      can select multiple items.
    name: Build-a-Box & Bundles
  - description: >-
      APIs for managing payment methods, billing information, and processing
      subscription payments.
    name: Billing & Payments
  - description: >-
      APIs for retrieving product information, selling plans, variant data, and
      subscription-enabled products available to customers.
    name: Product Catalog
  - description: >-
      APIs for managing delivery schedules, shipping addresses, delivery
      methods, and tracking order status.
    name: Delivery & Shipping
  - description: >-
      APIs for handling subscription cancellations, retention activities, and
      customer feedback management.
    name: Customer Retention
  - description: >-
      APIs for integrating loyalty programs with subscriptions including points
      redemption and earning options.
    name: Loyalty Integration
  - description: >-
      APIs for accessing portal customization settings, translations, and theme
      configurations.
    name: Customization
  - description: >-
      APIs for retrieving promotional campaigns shown in the customer portal,
      tracking banner engagement, and redeeming campaign offers.
    name: Campaigns
  - description: >-
      APIs for local pickup and click-and-collect — listing pickup locations and
      resolving eligible pickup dates and time slots.
    name: Store Pickup
paths:
  /subscriptions/cp/api/customer-account-api/oauth/callback:
    get:
      tags:
        - Customer Portal
      summary: Handle OAuth callback from Shopify
      description: >-
        OAuth 2.0 callback endpoint that receives the authorization code from
        Shopify after customer authorization. This endpoint is called
        automatically by Shopify after the customer authorizes the app.


        **Flow:**

        1. Shopify redirects customer here with authorization code and state

        2. Validates state parameter to prevent CSRF

        3. Exchanges authorization code for access token using PKCE verifier

        4. Validates ID token (JWT) from Shopify

        5. Stores access token and refresh token securely

        6. Redirects customer back to original return URL


        **Security:**

        - Validates state parameter matches stored value

        - Uses PKCE code verifier to exchange authorization code

        - Validates ID token signature and claims

        - State expires after 10 minutes


        **Error Handling:**

        - If customer denies authorization, redirects with error parameter

        - If token exchange fails, redirects with error parameter

        - All errors are logged for debugging


        **Note:** This endpoint should not be called directly - it's invoked by
        Shopify's OAuth redirect.
      operationId: handleOAuthCallback
      parameters:
        - description: Authorization code from Shopify (if successful)
          example: abc123...
          in: query
          name: code
          required: false
          schema:
            type: string
        - description: State parameter for CSRF protection
          in: query
          name: state
          required: true
          schema:
            type: string
        - description: Error code if authorization failed
          example: access_denied
          in: query
          name: error
          required: false
          schema:
            type: string
        - description: Human-readable error description
          in: query
          name: error_description
          required: false
          schema:
            type: string
      responses:
        '302':
          description: Redirects to return URL with success or error parameter
        '400':
          description: Invalid or missing OAuth parameters

````