Shopify Integration for 3PLs

Mar 09, 2021

|

Volodymyr Rudyi

Right now is a golden age of e-Commerce. Everyone can establish their store in less than an hour by using cloud-based platforms like Shopify. It also means that third-party logistics providers (3PLs) have an additional channel for leads - a ready-to-use application in the e-Commerce platform marketplace.

Recently I implemented a Proof of Concept with Shopify, and I'd like to share that experience from a business and technical point of view. Additionally, I'll be happy to shed some light on Shopify apps from the tech-savvy merchant's perspective.

What is Shopify?

Shopify is a commerce platform that allows quickly creating online store and starting selling your products. Unlike self-hosted solutions, it doesn't require any knowledge of administration, DevOps or programming.

The platform is industry-agnostic and is suitable for businesses of various sizes.

Is Shopify the right choice for my store?

While this is completely out of this blog post's scope, I decided to leave this paragraph here.I have worked as an e-Commerce developer for more than 5 years (mainly hybris/SAP Hybris) and understand what SMEs may expect from their e-Commerce store.

It's a great tool to start with. Especially, because you can spin up your store in minutes. Besides it, it's affordable(the advanced plan is only $299/mo).

Out of the platform's box features combined with a wide variety of apps(check my notes about the security below) will give you a lot of time before you grow out of it.

What is a Shopify app?

To figure out what's needed to create your own Shopify app, we need first to understand what exactly it is.

Shopify is cloud-based and its extension model is very simple: any custom functionality may be added to the platform as a standalone web application interacting with Shopify using it's API.

At this point, there are three types of applications supported by Shopify:

  1. Public applications. Available via the app store to any merchant. Such apps are reviewed by the Shopify team.
  2. Custom applications. Available only to a single merchant using a special installation link. Custom apps don't need to pass the review process. Ideal for merchant-specific applications or alpha releases.
  3. Private applications. Available only to a single merchant. Highly discouraged by Shopify since private applications have too wide access to store data.

In this blog post I'm talking only about public and custom applications, since they are identical from a technical point of view and both recommended by Shopify as the way to customize the store.

Extension points available to Shopify apps

As a 3PL, you may want to know what exactly can be customized using the app. The good news, may things can be customized! Here is the approximate list of things you can do by creating a custom Shopify app:

  • Use Shopify Admin API to read and modify data in the store via your application. Enhancement of customer, product or order data, addition of new shipping and fulfillment methods are among popular use cases.
  • App Extensions. Actions, buttons and links that can be added to Shopify merchant interface.
  • Shopify Themes, Shopify POS and many other.

As you can see, the platform is highly customizable. Moving forward, we'll focus on Shopify Admin API and will cover App Extensions a bit.

Creating a custom fulfillment Shopify app

Now it's time for a walkthrough of the Shopify app creation process.

Technical content alert! You may want to skip this section altogether and go directly to the "Reducing development and maintenance costs of Shopify apps" section. Feel free to share this content with your CTO or developers though!

Authenticating application

Apps in Shopify are installed/authenticated using the OAuth 2.0 Authorization Code flow. Once the challenge is completed, as an app developer, you will be dealing with the access token.

The access token in Shopify is long-lived and never expires except for the cases, when you manually rotate API secret key. Yes, you got it right, tokens can be only rotated manually. You can find the confirmation in the official API documentation.

The received token should be securely stored on the application side to access API offline(meaning "in the background") in the future. There are also online per-user credentials, but I'm not covering these in this blog post.

Creating a new fulfillment service

By default, Shopify has only one fulfillment service configured - Shopify itself. It's also possible to forward fulfillment orders via email. But in a case when something more custom is required, it can be performed by an application.

Application can register a new fulfillment service by using the "fulfillment_services" API resources. The REST API call body will look like this:

{
     fulfillment_service:

     {
        "name": "AgileVision Fulfillment",
        "callback_url": "<callback-url>",
        "inventory_management": false,
        "tracking_support": false,
        "requires_shipping_method": true,

        "fulfillment_orders_opt_in": true,
        "format": "json"
    }
}

The best moment to create a new fulfillment service is right after your application is installed. There is no webhook for this event, but you can simply do it after receiving the access token, since it's a final step of the Shopify app installation.

A successful call will result in a new fulfillment method (AgileVision Fulfillment in this case). A new, "app location" will be added to the "Locations" menu.

 

Handling fulfillment requests

Once our custom fulfillment service is used,  it's possible to subscribe to fulfillment event updates using Webhooks.

It's up to the application whether to accept the fulfillment request or no. A detailed information on the fulfillment event payload can be found in the documentation.

Additionally, a callback URL may be queried by Shopify in order to fetch inventory levels or tracking numbers in case if corresponding options were enabled.

Reducing development and maintenance costs of Shopify apps

When creating a custom software like a Shopify app, one of the problems is the development and maintenance cost.

With the current state of cloud providers, there is a solution for both. By using the serverless approach, it's possible to develop a custom application within a short timeframe and ensure it won't require too much maintenance cost. This is because maintenance, provisioning, and upgrade of servers is not a problem anymore.

Additionally, serverless is based on the pay-per-invocation model, so you won't need to spin up traditional, pay-per-hour compute nodes. 

So to be more cost-efficient and reduce the development time and cost, it's possible to deploy Shopify app to Amazon Lambda.

Security and privacy of Shopify apps

This section will be especially interesting for merchants to understand the importance of using only applications by trusted vendors. Besides it, as a 3PL, it will give you a better understanding of your client's risks and possible objections.

Once you start developing custom applications, you may notice while powerful, Shopify API doesn't have fine-grained access control. Unfortunately, it's not possible at this moment to limit access for apps only to a certain subset of orders. For most of the API, it's all-or-nothing(even though you can grant read-only access to the app to a certain object, e.g. order, you can't limit which orders the app will see).

This means you need to be especially careful when installing applications to your star and review every permission app requests.

Final thoughts

I like Shopify for the ease of use and extensibility. Documentation is also surprisingly developer-friendly, which makes Shopify a rather open platform in terms of extensions.

While there are areas to improve, especially security(e.g. make access token short-lived) and fine-grained access control, I got overly positive experience while working with it.