Shopify Production Checklist

Overview

Complete pre-launch checklist for deploying Shopify apps to production and submitting to the Shopify App Store.

Prerequisites

• Staging environment tested and verified
• Shopify Partner account with app configured
• All development and staging tests passing

Instructions

Step 1: API and Authentication

• Using a recent stable API version (e.g., 2025-04), not unstable
• Access token stored in secure environment variables (never in code)
• API secret stored securely for webhook HMAC verification
• OAuth flow tested with a fresh install on a clean dev store
• Session persistence implemented (database or Redis, not in-memory)
• Token refresh/re-auth handled for expired sessions
• APP_UNINSTALLED webhook handler cleans up sessions

Step 2: Mandatory GDPR Compliance

• customers/data_request webhook handler implemented
• customers/redact webhook handler implemented
• shop/redact webhook handler implemented (fires 48h after uninstall)
• All three configured in shopify.app.toml
• Handlers respond with HTTP 200 within 5 seconds
• Customer data deletion actually works (test it!)

Step 3: Webhook Security

• All webhooks verify X-Shopify-Hmac-Sha256 using HMAC-SHA256
• Using crypto.timingSafeEqual() for signature comparison
• Webhook endpoints use raw body parsing (not JSON middleware)
• Idempotency: duplicate webhook deliveries handled gracefully

Step 4: Rate Limit Resilience

• GraphQL queries optimized (check requestedQueryCost with debug header)
• Retry logic with exponential backoff for 429 / THROTTLED responses
• Bulk operations used for large data exports instead of paginated queries
• No unbounded loops that could exhaust rate limits

Step 5: Error Handling

• All GraphQL mutations check userErrors array (200 with errors!)
• HTTP 4xx/5xx errors caught and logged with X-Request-Id
• Graceful degradation when Shopify is unavailable
• No PII logged (customer emails, addresses, phone numbers)

Step 6: App Store Submission Requirements

• App listing has clear name, description, and screenshots
• Privacy policy URL provided
• App has proper onboarding flow for new merchants
• Embedded app uses App Bridge for navigation (no full-page redirects)
• CSP headers set: frame-ancestors https://*.myshopify.com https://admin.shopify.com
• App works on both desktop and mobile admin
• Loading states shown during API calls (no blank screens)

Step 7: API Version Management

# Check which API versions your store supports
curl -s -H "X-Shopify-Access-Token: $TOKEN" \
  "https://$STORE/admin/api/versions.json" \
  | jq '.supported_versions[] | select(.supported == true) | .handle'

# Shopify deprecates versions ~12 months after release
# Set a calendar reminder to upgrade quarterly

Step 8: Health Check Endpoint

Express endpoint that tests Shopify API connectivity and database availability, returning structured status with latency metrics.

See Health Check Endpoint for the complete implementation.

Output

• All checklist items verified
• Health check endpoint operational
• GDPR compliance webhooks functional
• App ready for production traffic or App Store submission

Error Handling

Examples

Pre-Deploy Smoke Test

Bash script that validates Shopify auth and API scopes before deploying to production.

See Pre-Deploy Smoke Test for the complete script.

Resources

• Shopify App Store Review Requirements
• GDPR Compliance Webhooks
• API Versioning
• Shopify Status Page