shopify-node-api

1.11.1 verified Sat Apr 25 auth: no javascript abandoned

Node.js module for Shopify API OAuth2 authentication and REST requests. Version 1.11.1 provides support for public and private Shopify apps, handling OAuth token exchange, signature verification, and CRUD operations. It is an older, unmaintained library with minimal updates since 2016. Compared to alternatives like shopify-api-node or @shopify/shopify-api, it lacks TypeScript support, modern API features, and active maintenance.

Common errors

error Error: ShopifyAPI module expects a config object ↓

cause Instantiating without a config object

fix

const Shopify = new shopifyAPI({ shop: '...', shopify_api_key: '...' });

error Cannot read property 'get' of undefined ↓

cause Calling methods on undefined instance if 'new' keyword omitted

fix

Use 'new shopifyAPI()' instead of 'shopifyAPI()'

Warnings

breaking Constructor throws error if no config object passed ↓

fix Always pass a valid config object: 'new shopifyAPI({...})'

gotcha Access token in config is not updated automatically after exchange_temporary_token ↓

fix Manually set 'config.access_token = data.access_token' after callback

deprecated OAuth signature verification uses outdated HMAC-SHA256 ↓

fix Use '@shopify/shopify-api' instead for up-to-date security

gotcha Nonce is required but not validated; must be unique per request ↓

fix Generate a cryptographically random nonce for each auth request

gotcha HTTP request errors may not propagate correctly ↓

fix Always check 'err' parameter in callbacks; wrap in try-catch

Install

npm install shopify-node-api

yarn add shopify-node-api

pnpm add shopify-node-api

Imports

shopifyAPI

wrong

import shopifyAPI from 'shopify-node-api';

correct

const shopifyAPI = require('shopify-node-api');

This package is CJS-only; does not support ESM imports.

Shopify instance

wrong

const Shopify = shopifyAPI({ shop: '...' });

correct

const Shopify = new shopifyAPI({ shop: '...', shopify_api_key: '...' });

Must use 'new' keyword when instantiating; omitting it may cause silent failures.

buildAuthURL
wrong
```
shopifyAPI.buildAuthURL();
```
correct
```
Shopify.buildAuthURL();
```
buildAuthURL is an instance method, not a static method.

Quickstart

Shows OAuth flow: initialize, build auth URL, exchange token for permanent access.

const shopifyAPI = require('shopify-node-api');

const Shopify = new shopifyAPI({
  shop: 'my-shop',
  shopify_api_key: process.env.SHOPIFY_API_KEY ?? '',
  shopify_shared_secret: process.env.SHOPIFY_SECRET ?? '',
  shopify_scope: 'write_products',
  redirect_uri: 'http://localhost:3000/finish_auth',
  nonce: 'random-nonce'
});

// Build authorization URL
const authUrl = Shopify.buildAuthURL();
console.log('Authorize at:', authUrl);

// After Shopify redirects back, exchange temporary token
app.get('/finish_auth', (req, res) => {
  Shopify.exchange_temporary_token(req.query, (err, data) => {
    if (err) return res.status(500).send(err.message);
    // access_token available in data.access_token
    res.send('Authenticated!');
  });
});