2
5 Comments

The one auth bug that blocked my Shopify app for weeks

I just shipped my first Shopify app. Getting it approved took longer than building it, mostly because of one auth issue I couldn't find documented anywhere.
Shopify embedded apps run inside an iframe in the admin. Session tokens work differently there — they don't persist the way cookies do when you navigate between routes. Every sub-route was returning 403, randomly, with no clear error message. The index route loaded fine. Everything else failed.
I spent days reinstalling the app, clearing sessions, changing scopes. Nothing worked consistently.
The fix was two lines:
First — redirect must come from authenticate.admin(request), not from React Router. They look identical in code but behave completely differently inside an iframe context.
Second — authenticate.admin must be the very first call in every loader and action, before anything else including your own database queries.
That's it. The kind of thing that takes five seconds to fix once you know it, and days to find.
The app is a business health monitor for Shopify merchants — RFM customer segmentation, inventory velocity alerts, profit tracking. Just launched with 1 install so far. If you're building on Shopify and hit similar auth issues, happy to compare notes. And if you're a Shopify merchant curious about the analytics angle, feedback is very welcome.
https://apps.shopify.com/virtevo-pulse

on July 6, 2026
  1. 1

    I like that you shared the auth lesson, but what caught my attention was the product itself.

    Most analytics tools tell merchants what already happened. A business health monitor has the opportunity to become something different—helping them notice issues early enough to act before they show up in the monthly numbers. That feels like a much stronger problem to own.

    1. 1

      That's exactly the angle I'm trying to own. The name "Pulse" is intentional — something you check daily, not a dashboard you open after something already went wrong.
      The RFM segmentation is the clearest example right now. Instead of showing a customer list, it tells you which customers are going quiet before they're actually gone. That's the window to act.
      Appreciate the framing — it's a cleaner way to describe what this actually is.

      1. 1

        Interesting.

        Reading your reply made me think less about early detection itself and more about what a business quietly commits to once it promises to help people act before problems become visible.

        I don't think I can explain that line of reasoning properly in a thread without oversimplifying it.

        If you're open to it, what's the best email to reach you on?

          1. 1

            Thanks! I’ve just sent it over.

            Looking forward to hearing your thoughts whenever you have a chance.

Trending on Indie Hackers
The hardest part isn't building anymore User Avatar 112 comments The feature you're most sure about is the one you should question first User Avatar 92 comments I sold $6,773 in 2 weeks, with almost no existing community. User Avatar 63 comments I let 3 LLMs argue on the famous AI "Car wash: Walk or Drive" problem to prove a point. User Avatar 48 comments Before you build another feature, use this workflow User Avatar 45 comments 5 days post-launch: Top 50 on Product Hunt, zero signups, and why I think that's actually fine User Avatar 44 comments