orcaqubits/node-backend
dist/codex/shopify-commerce/skills/node-backend/SKILL.md
Build Node.js backends for Shopify apps — Remix server, @shopify/shopify-app-remix, session storage, OAuth handling, API proxy, webhook processing, and deployment. Use when building the server-side component of Shopify apps.
$ install --global
skillsauthnpx skillsauth add orcaqubits/agentic-commerce-claude-plugins node-backendInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 14, 2026, 6:01 AM152.8s1 file scanned
SKILL.md
- name:
- node-backend
- description:
- >
Node.js Backend for Shopify Apps
Before writing code
Fetch live docs:
- Web-search
site:shopify.dev app remix serverfor Remix app server patterns - Web-search
site:github.com shopify shopify-app-jsfor Shopify Node.js libraries - Web-search
site:shopify.dev session storagefor session management options
App Server Architecture
Typical Stack
Shopify Admin (iframe)
↓ App Bridge session token
Remix Server (@shopify/shopify-app-remix)
↓ GraphQL Admin API calls
Shopify APIs
↓ Webhooks
Your Webhook Handler
Key Packages
| Package | Purpose |
|---------|---------|
| @shopify/shopify-app-remix | Remix integration (auth, session, billing, webhooks) |
| @shopify/shopify-api | Low-level Shopify API client |
| @shopify/app-bridge-react | App Bridge React components |
| @shopify/polaris | Admin UI components |
Project Structure
shopify-app/
├── app/
│ ├── routes/
│ │ ├── app._index.tsx # App dashboard
│ │ ├── app.products.tsx # Products page
│ │ ├── auth.$.tsx # OAuth callback handler
│ │ └── webhooks.tsx # Webhook endpoint
│ ├── shopify.server.ts # Shopify API client initialization
│ ├── db.server.ts # Database connection
│ └── root.tsx # Root layout
├── prisma/
│ └── schema.prisma # Database schema (session storage)
├── extensions/ # App extensions (Functions, checkout UI)
├── shopify.app.toml # App configuration
├── .env
└── package.json
Shopify App Remix Setup
Server Initialization
// app/shopify.server.ts
import "@shopify/shopify-app-remix/adapters/node";
import { AppDistribution, shopifyApp } from "@shopify/shopify-app-remix/server";
import { PrismaSessionStorage } from "@shopify/shopify-app-session-storage-prisma";
import { prisma } from "./db.server";
const shopify = shopifyApp({
apiKey: process.env.SHOPIFY_API_KEY!,
apiSecretKey: process.env.SHOPIFY_API_SECRET!,
appUrl: process.env.SHOPIFY_APP_URL!,
scopes: process.env.SCOPES?.split(","),
authPathPrefix: "/auth",
sessionStorage: new PrismaSessionStorage(prisma),
distribution: AppDistribution.AppStore,
webhooks: {
APP_UNINSTALLED: {
deliveryMethod: "http",
callbackUrl: "/webhooks",
},
},
hooks: {
afterAuth: async ({ session }) => {
// Register webhooks after successful auth
shopify.registerWebhooks({ session });
},
},
});
export default shopify;
export const apiVersion = shopify.apiVersion;
export const addDocumentResponseHeaders = shopify.addDocumentResponseHeaders;
export const authenticate = shopify.authenticate;
export const registerWebhooks = shopify.registerWebhooks;
Authentication in Loaders
// app/routes/app._index.tsx
import { json, type LoaderFunctionArgs } from "@remix-run/node";
import { authenticate } from "../shopify.server";
export async function loader({ request }: LoaderFunctionArgs) {
const { admin } = await authenticate.admin(request);
const response = await admin.graphql(`
query {
products(first: 10) {
edges {
node {
id
title
}
}
}
}
`);
const { data } = await response.json();
return json({ products: data.products.edges });
}
Webhook Handler
// app/routes/webhooks.tsx
import type { ActionFunctionArgs } from "@remix-run/node";
import { authenticate } from "../shopify.server";
export async function action({ request }: ActionFunctionArgs) {
const { topic, shop, payload } = await authenticate.webhook(request);
switch (topic) {
case "APP_UNINSTALLED":
// Clean up shop data
await deleteShopData(shop);
break;
case "CUSTOMERS_DATA_REQUEST":
// Handle GDPR data request
break;
case "CUSTOMERS_REDACT":
// Delete customer data
break;
case "SHOP_REDACT":
// Delete all shop data
break;
}
return new Response();
}
Session Storage Options
| Storage | Package | Use Case |
|---------|---------|----------|
| Prisma | @shopify/shopify-app-session-storage-prisma | Production (SQL databases) |
| SQLite | @shopify/shopify-app-session-storage-sqlite | Development, small apps |
| Redis | @shopify/shopify-app-session-storage-redis | High-traffic apps |
| Memory | @shopify/shopify-app-session-storage-memory | Testing only |
| DynamoDB | @shopify/shopify-app-session-storage-dynamodb | AWS deployments |
GraphQL Admin Client
The authenticated admin client handles:
- Automatic token management
- Rate limiting (retries on 429)
- API versioning
- Type-safe queries (with codegen)
// Make a GraphQL call
const response = await admin.graphql(`
mutation ProductCreate($input: ProductInput!) {
productCreate(input: $input) {
product { id title }
userErrors { field message }
}
}
`, {
variables: {
input: { title: "New Product" },
},
});
REST Client (Legacy)
For endpoints not yet available in GraphQL:
const response = await admin.rest.get({
path: 'themes',
});
Note: REST is deprecated. Use GraphQL whenever possible.
Deployment
Shopify-Hosted (Spin)
For apps using shopify app deploy:
- Automatic hosting
- Managed infrastructure
- Environment variables in Shopify admin
Self-Hosted Options
| Platform | Setup |
|----------|-------|
| Vercel | vercel deploy |
| Fly.io | fly deploy |
| Railway | railway deploy |
| Render | Git push |
| AWS (ECS/Lambda) | SAM/CDK |
Environment Variables
SHOPIFY_API_KEY=your-api-key
SHOPIFY_API_SECRET=your-api-secret
SHOPIFY_APP_URL=https://your-app.example.com
SCOPES=read_products,write_products,read_orders
DATABASE_URL=file:./dev.db
Best Practices
- Use
@shopify/shopify-app-remix— do not build auth/session from scratch - Use Prisma for session storage in production (not SQLite or memory)
- Authenticate every request with
authenticate.admin(request) - Register webhooks in
afterAuthhook — they need valid access tokens - Implement all GDPR webhooks in the webhook handler
- Use GraphQL over REST for all API calls
- Handle
userErrorsin GraphQL mutations — 200 status does not mean success - Store environment variables securely — never commit
.env - Use
shopify app devfor local development (handles tunneling and auth)
Fetch the Shopify Remix app documentation and @shopify/shopify-app-remix package docs for exact initialization, authentication, and deployment patterns before implementing.
Related Skills
orcaqubits/spree-headless-storefront
development
VerifiedTrustedCommunity
Build with Spree's headless Next.js storefront — the official `spree/storefront` repo (Next.js 16 App Router with Server Actions and Turbopack, React 19 Server Components, Tailwind CSS 4, TypeScript 5, `@spree/sdk`, Sentry), server-only auth (httpOnly JWT cookies + publishable key), MeiliSearch faceted catalog, one-page checkout with Apple/Google Pay/Klarna/Affirm/SEPA, multi-region market routing, GA4 + JSON-LD SEO, and Vercel/Docker deployment. Use when forking or customizing the storefront, or evaluating headless adoption.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-extensions
tools
VerifiedTrustedCommunity
Build Spree extensions as Rails engines — gem scaffolding, `bin/rails g spree:extension`, mounting routes/migrations/assets, the modern `prepend` decorator pattern (`*_decorator.rb` with `self.prepended(base)`), generators (`spree:model_decorator`, `spree:controller_decorator`), the four customization surfaces in preference order (Events > Webhooks > Dependencies > Decorators), Spree::Dependencies for swapping service objects, gem release/versioning, and the deprecated Deface engine. Use when building a reusable Spree extension or adding non-trivial customization to an app.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-events-webhooks
development
VerifiedTrustedCommunity
Build with Spree's event bus and Webhooks 2.0 — `Spree::Events` publication, `Spree::Subscriber` DSL with `subscribes_to` and `on`, wildcard matching, lifecycle events (`{model}.created/.updated/.deleted` via `publishes_lifecycle_events`), the canonical event catalog (order.*, payment.*, shipment.*, product.*), Webhooks 2.0 endpoints, HMAC-SHA256 signing (`X-Spree-Webhook-Signature`), exponential-backoff retries, and Sidekiq job orchestration. Use when wiring event-driven business logic, building webhook consumers, or replacing ActiveSupport callback chains.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-dev-patterns
tools
VerifiedTrustedCommunity
Cross-cutting Spree development patterns — the customization preference hierarchy (Events > Webhooks > Dependencies > Decorators), `Spree::Dependencies` service-object swapping, the `_decorator.rb` + `prepend` + `self.prepended` idiom, idempotent subscribers and webhook receivers, multi-store scoping discipline, prefixed IDs, calculator polymorphism (shipping/promotion/tax share the base), service-object composition with `dry-monads` or simple results, why to avoid `class_eval` reopening and Deface, and Spree-on-Rails idioms (Hotwire/Turbo Stimulus, ActiveStorage, Action Cable, Sidekiq). Use when designing the architecture of a Spree extension or solving cross-cutting concerns.
27SKILL.mdUpdated May 14, 2026