Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.launchmystore.io/llms.txt

Use this file to discover all available pages before exploring further.

OAuth 2.0 Authentication

LaunchMyStore uses OAuth 2.0 for secure app authentication. This allows merchants to grant your app specific permissions without sharing their credentials.

OAuth Flow

Available Scopes

Request only the scopes your app needs. Merchants see all requested scopes during installation.

Store Data

ScopeDescription
read_shopView store information
write_shopModify store settings
read_productsView products and variants
write_productsCreate, update, delete products
read_collectionsView collections
write_collectionsManage collections

Orders & Customers

ScopeDescription
read_ordersView orders and transactions
write_ordersCreate, update, fulfill orders
read_customersView customer data
write_customersCreate, update customers
read_fulfillmentsView fulfillment data
write_fulfillmentsCreate, update fulfillments

Inventory & Discounts

ScopeDescription
read_inventoryView inventory levels
write_inventoryAdjust inventory
read_discountsView discount codes
write_discountsCreate, manage discounts

Metafields

ScopeDescription
read_metafieldsView metafield data
write_metafieldsCreate, update metafields

Authorization Request

Redirect merchants to the authorization URL: 
GET https://api.launchmystore.io/oauth/authorize

Parameters

ParameterRequiredDescription
client_idYesYour app’s Client ID
scopeYesComma-separated list of scopes
redirect_uriYesYour callback URL (must match registered URL)
stateRecommendedRandom string to prevent CSRF attacks

Example

const authUrl = new URL('https://api.launchmystore.io/oauth/authorize');
authUrl.searchParams.set('client_id', CLIENT_ID);
authUrl.searchParams.set('scope', 'read_products,write_products,read_orders');
authUrl.searchParams.set('redirect_uri', 'https://my-app.com/auth/callback');
authUrl.searchParams.set('state', generateRandomString());

res.redirect(authUrl.toString());

Token Exchange

After the merchant approves, they’re redirected to your redirect_uri with a code parameter. Exchange this for tokens: 
POST https://api.launchmystore.io/oauth/token
Content-Type: application/json

{
  "client_id": "your_client_id",
  "client_secret": "your_client_secret",
  "code": "authorization_code_from_callback",
  "grant_type": "authorization_code",
  "redirect_uri": "https://my-app.com/auth/callback"
}

Response

{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "refresh_token": "dGhpcyBpcyBhIHJlZnJl...",
  "token_type": "Bearer",
  "expires_in": 86400,
  "scope": "read_products,write_products,read_orders"
}

Token Refresh

Access tokens expire after 24 hours. Use the refresh token to get a new access token: 
POST https://api.launchmystore.io/oauth/token
Content-Type: application/json

{
  "client_id": "your_client_id",
  "client_secret": "your_client_secret",
  "refresh_token": "your_refresh_token",
  "grant_type": "refresh_token"
}
Refresh tokens expire after 30 days. If a refresh token expires, the merchant must re-authorize your app.

Making Authenticated Requests

Include the access token in the Authorization header: 
const response = await fetch('https://api.launchmystore.io/api/v1/products', {
  headers: {
    'Authorization': `Bearer ${accessToken}`,
    'Content-Type': 'application/json'
  }
});

Security Best Practices

Never store tokens in client-side code or version control. Use encrypted database columns or a secrets manager.
Always validate that the state parameter in the callback matches what you sent. This prevents CSRF attacks.
Implement automatic token refresh before making API calls. Check expires_in and refresh proactively.
Only request the permissions your app actually needs. Merchants are more likely to install apps with fewer permissions.