Shopify Production Checklist
Overview
Complete pre-launch checklist for deploying Shopify apps to production and submitting to the Shopify App Store.
Prerequisites
- Staging environment tested and verified
- Shopify Partner account with app configured
- All development and staging tests passing
Instructions
Step 1: API and Authentication
- [ ] Using a recent stable API version (e.g., 2025-04), not
unstable - [ ] Access token stored in secure environment variables (never in code)
- [ ] API secret stored securely for webhook HMAC verification
- [ ] OAuth flow tested with a fresh install on a clean dev store
- [ ] Session persistence implemented (database or Redis, not in-memory)
- [ ] Token refresh/re-auth handled for expired sessions
- [ ]
APP_UNINSTALLEDwebhook handler cleans up sessions
Step 2: Mandatory GDPR Compliance
- [ ]
customers/data_requestwebhook handler implemented - [ ]
customers/redactwebhook handler implemented - [ ]
shop/redactwebhook handler implemented (fires 48h after uninstall) - [ ] All three configured in
shopify.app.toml - [ ] Handlers respond with HTTP 200 within 5 seconds
- [ ] Customer data deletion actually works (test it!)
Step 3: Webhook Security
- [ ] All webhooks verify
X-Shopify-Hmac-Sha256using HMAC-SHA256 - [ ] Using
crypto.timingSafeEqual()for signature comparison - [ ] Webhook endpoints use raw body parsing (not JSON middleware)
- [ ] Idempotency: duplicate webhook deliveries handled gracefully
Step 4: Rate Limit Resilience
- [ ] GraphQL queries optimized (check
requestedQueryCostwith debug header) - [ ] Retry logic with exponential backoff for 429 / THROTTLED responses
- [ ] Bulk operations used for large data exports instead of paginated queries
- [ ] No unbounded loops that could exhaust rate limits
Step 5: Error Handling
- [ ] All GraphQL mutations check
userErrorsarray (200 with errors!) - [ ] HTTP 4xx/5xx errors caught and logged with
X-Request-Id - [ ] Graceful degradation when Shopify is unavailable
- [ ] No PII logged (customer emails, addresses, phone numbers)
Step 6: App Store Submission Requirements
- [ ] App listing has clear name, description, and screenshots
- [ ] Privacy policy URL provided
- [ ] App has proper onboarding flow for new merchants
- [ ] Embedded app uses App Bridge for navigation (no full-page redirects)
- [ ] CSP headers set:
frame-ancestors https://*.myshopify.com https://admin.shopify.com - [ ] App works on both desktop and mobile admin
- [ ] Loading states shown during API calls (no blank screens)
Step 7: API Version Management
# Check which API versions your store supports
curl -s -H "X-Shopify-Access-Token: $TOKEN" \
"https://$STORE/admin/api/versions.json" \
| jq '.supported_versions[] | select(.supported == true) | .handle'
# Shopify deprecates versions ~12 months after release
# Set a calendar reminder to upgrade quarterly
Step 8: Health Check Endpoint
Express endpoint that tests Shopify API connectivity and database availability, returning structured status with latency metrics.
See Health Check Endpoint for the complete implementation.
Output
- All checklist items verified
- Health check endpoint operational
- GDPR compliance webhooks functional
- App ready for production traffic or App Store submission
Error Handling
| Alert | Condition | Severity | |-------|-----------|----------| | Shopify API down | 5xx errors > 5/min | P1 - Critical | | Auth failures | 401 errors > 0 | P1 - Token may be revoked | | Rate limited | THROTTLED > 5/min | P2 - Reduce query cost | | High latency | p95 > 3000ms | P2 - Check query complexity | | Webhook failures | Delivery success < 95% | P2 - Check endpoint health |
Examples
Pre-Deploy Smoke Test
Bash script that validates Shopify auth and API scopes before deploying to production.
See Pre-Deploy Smoke Test for the complete script.