kyon147/laravel-shopify

Shopify package for Laravel to aide in app development

Maintainers

Package info

github.com/Kyon147/laravel-shopify

Forum

Wiki

pkg:composer/kyon147/laravel-shopify

Fund package maintenance!

kyon147

Open Collective

paypal.me/kyon147

Statistics

Installs: 298 006

Dependents: 0

Suggesters: 0

Stars: 482

Open Issues: 27

Security

Advisories: 0

Aikido package health analysis

v27.0.0 2026-06-20 15:24 UTC

Requires

Requires (Dev)

MIT 74970e2d3bf690d2e7184432701c47ce9d6431bc

  • Luke (Kyon147) <support.woop@appydesign.co.uk>

apisdkdrivershopifylaravelfacadewebhooklaravel-packageshopify-apilaravel-shopifycallback-urlscripttagsshopify-app

This package is auto-updated.

Last update: 2026-06-20 16:02:55 UTC

README

Tests codecov License

This is a maintained version of the wonderful but now deprecated original Laravel Shopify App. To keep things clean, this has been detached from the original.

To install this package run:

composer require kyon147/laravel-shopify

Publish the config file:

php artisan vendor:publish --tag=shopify-config

A full-featured Laravel package for aiding in Shopify App development, similar to shopify_app for Rails. Works for Laravel 8 and up.

Screenshot Screenshot: Billable

Table of Contents

* Wiki pages

For more information, tutorials, etc., please view the project's wiki.

Goals

  • Per User Auth Working
  • Better support for SPA apps using VueJS
  • Getting "Blade" templates working better with Shopify's new auth process???

Documentation

For full resources on this package, see the wiki.

Expiring offline access tokens

Shopify requires expiring offline access tokens for new public apps created on or after April 1, 2026. This package supports them when enabled:

  1. Run package migrations so your shops table includes shopify_offline_refresh_token, shopify_offline_access_token_expires_at, and shopify_offline_refresh_token_expires_at.
  2. Set SHOPIFY_EXPIRING_OFFLINE_TOKENS=true in .env (see expiring_offline_tokens, auto_migrate_legacy, and offline_access_token_refresh_skew_seconds in config/shopify-app.php).
  3. Keep APP_KEY stable: refresh tokens are stored encrypted with Laravel’s encrypter.

Authorization code exchange, session-token exchange, and refresh_token grants are handled inside this package (Osiset\ShopifyApp\Services\ApiHelper and OfflineAccessTokenRefresher), not via gnikyt/basic-shopify-api updates. A valid access token is refreshed automatically before apiHelper() builds the API session when the offline token is expired or within the configured skew.

Migrating existing installs (optional): Shops that already have a non-expiring offline token are not upgraded automatically when you enable the flag alone. Options:

  • Passive (default): With SHOPIFY_AUTO_MIGRATE_LEGACY=true (default), the first apiHelper() call for a legacy shop runs Shopify Step 4 token exchange synchronously. Failures are logged and the request continues with the legacy token (fail-open).
  • Batch CLI (serverless-safe): php artisan shopify-app:migrate-expiring-offline-tokens (--dry-run, --shop=example.myshopify.com) chunks matching shops and dispatches MigrateShopTokenJob to the queue — no HTTP in the command itself (suitable for Laravel Vapor).
  • Action: MigrateShopToExpiringOfflineAccessToken — call per shop from your own code; returns migrated, skipped, reason, and error keys.
  • API: ApiHelper::exchangeNonExpiringOfflineTokenForExpiring($shopDomain, $currentOfflineToken) then persist with ShopCommand::setAccessToken.

Migration is one-way: Shopify revokes the old token on successful exchange.

Long-running jobs: Token refresh runs when the API client is first built ($shop->api() / $shop->apiHelper()). If a job reuses the same shop model for hours, the cached client keeps the old access token even after expiry. Options:

  • Opt-in config: SHOPIFY_REFRESH_OFFLINE_TOKEN_BEFORE_API_CALL=true re-checks expiry before each api() / apiHelper() call and rebuilds the client when needed.
  • Manual helpers on your shop model:
    • $shop->offlineAccessTokenIsFresh()true when the token is outside the refresh skew window
    • $shop->refreshOfflineAccessTokenIfNeeded() — refreshes via Shopify and clears the cached client
    • $shop->resetApiClient() — clears the cached client so the next API call rebuilds it
// Per loop iteration in a bulk job
if (! $shop->offlineAccessTokenIsFresh()) {
    $shop->refreshOfflineAccessTokenIfNeeded();
}
$shop->api()->graph('...');

If your User model overrides $casts, merge datetime casts for the two *_expires_at columns (the ShopModel trait uses mergeCasts when initializeShopModel runs).

Longer term, consider replacing or forking gnikyt/basic-shopify-api for REST/Graph traffic if you need an actively maintained HTTP client; expiring offline OAuth is already decoupled from that dependency.

Issue or request?

If you have found a bug or would like to request a feature for discussion, please use the ISSUE_TEMPLATE in this repo when creating your issue. Any issue submitted without this template will be closed.

License

This project is released under the MIT license.

Misc

Repository

Contributors

Contributions are always welcome! Contibutors are updated each release, pulled from Github. See CONTRIBUTORS.txt.

If you're looking to become a contributor, please see CONTRIBUTING.md.

Maintainers

Maintainers are users who manage the repository itself, whether it's managing the issues, assisting in releases, or helping with pull requests.

Currently this repository is maintained by:

Looking to become a maintainer? E-mail @kyon147 directly.

Special Note

I develop this package in my spare time, with a busy family/work life like many of you! So, I would like to thank everyone who's helped me out from submitting PRs, to assisting on issues, and plain using the package (I hope its useful). Cheers.