This package provides Shopify's OAuth 2.0 support for the PHP League's OAuth 2.0 Client.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

Shopify Provider for OAuth 2.0 Client

Latest Stable Version Total Downloads License Build Status Scrutinizer Code Quality

This package provides Shopify's OAuth 2.0 support for the PHP League's OAuth 2.0 Client.


To install, use composer:

composer require multidimensional/oauth2-shopify


Usage is the same as The League's OAuth client, using \Multidimensional\OAuth2\Client\Provider\Shopify as the provider.

Authorization Code Flow

$provider = new Multidimensional\OAuth2\Client\Provider\Shopify([
    'clientId'          => '{shopify-app-id}',
    'clientSecret'      => '{shopify-app-secret}',
    'shop'              => '',
    'redirectUri'       => '',

if (!isset($_GET['code'])) {
    $options = [
        'scope' => ['read_orders','write_orders'] // array or string

    // If we don't have an authorization code then get one
    $authUrl = $provider->getAuthorizationUrl($options);
    $_SESSION['oauth2state'] = $provider->getState();
    header('Location: '.$authUrl);

// Check given state against previously stored one to mitigate CSRF attack
} elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) {
    exit('Invalid state');
} else {

    // Try to get an access token (using the authorization code grant)
    $token = $provider->getAccessToken('authorization_code', [
        'code' => $_GET['code']

    // Optional: Now you have a token you can look up a users profile data
    try {

        // We got an access token, let's now get the user's details
        $user = $provider->getResourceOwner($token);

        // Use these details to create a new profile
        printf('Hello %s!', $user->getName());

    } catch (Exception $e) {

        // Failed to get user details
        exit('Oh dear...');

    // Use this to interact with an API on the users behalf
    echo $token->getToken();

Managing Scopes

When creating your Shopify authorization URL, you can specify the state and scopes your application may authorize.

$options = [
    'scope' => ['read_orders','write_orders'] // array or string

$authorizationUrl = $provider->getAuthorizationUrl($options);

If neither are defined, the provider will utilize internal defaults.

At the time of authoring this documentation, the following scopes are available.

  • read_content, write_content- Access to Article, Blog, Comment, Page, and Redirect.
  • read_themes, write_themes - Access to Asset and Theme.
  • read_products, write_products - Access to Product, product variant, Product Image, Collect, Custom Collection, and Smart Collection.
  • read_customers, write_customers - Access to Customer and Saved Search.
  • read_orders, write_orders - Access to Order, Transaction and Fulfillment.
  • read_script_tags, write_script_tags - Access to Script Tag.
  • read_fulfillments, write_fulfillments - Access to Fulfillment Service.
  • read_shipping, write_shipping - Access to Carrier Service.
  • read_analytics - Access to Analytics API.
  • read_users, write_users - Access to User SHOPIFY PLUS.


$ ./vendor/bin/phpunit


Please see CONTRIBUTING for details.



The MIT License (MIT). Please see License File for more information.