Shopify Essentials: Shopify API Integration: Best Practices

10 minute read Shopify Essentials · Part 6

Master the Shopify API with best practices for REST and GraphQL, pagination, rate limits, webhooks, and secure access token management.

Shopify’s APIs power everything from storefront extensions to full custom apps. Whether you’re querying product data or syncing orders to third-party systems, performance and reliability matter.

This guide covers integration fundamentals with best practices for REST and GraphQL.

Why API Discipline Matters

Shopify APIs sit between your store and everything else. Bad integration design causes:

  • Rate limit breaches
  • Data drift
  • Silent failures during peak trading

Good API discipline prevents outages.

Design Rationale and Trade-offs

GraphQL trades complexity for efficiency

Worth it once queries exceed trivial CRUD.

Webhooks are state hints, not truth

Always reconcile with API reads.

Retry logic is mandatory

Network failures are normal, not exceptional.

Fact Checks and Clarifications

  • REST pagination uses cursor-based page_info, not numeric pages.
  • GraphQL rate limits are cost-based, not request-based.
  • HMAC verification is mandatory for webhook security.

Key Takeaways

  • Design for failure, not success.
  • Monitor rate limits continuously.
  • Log payloads for post-mortems.

REST vs GraphQL: Choose Wisely

REST:

  • Easier for simple CRUD ops
  • Clear, structured endpoints
  • Good for webhooks and admin actions

GraphQL:

  • More efficient for selective data queries
  • One request, multiple datasets
  • Ideal for dashboards and reporting

Example GraphQL query:

{
  products(first: 3) {
    edges {
      node {
        id
        title
        variants(first: 2) { edges { node { price } } }
      }
    }
  }
}

Authentication Options

Use the correct method based on your app type:

  • Private apps: basic auth or static tokens
  • Custom/public apps: OAuth2 with X-Shopify-Access-Token

Never expose tokens on the frontend. Store securely in env vars or secrets managers.

Handle Rate Limiting

Shopify applies rate limits:

  • REST: 40 requests per app per store per minute (plus burst bucket)
  • GraphQL: cost-based (e.g. 1000 points/minute)

Best Practices:

  • Use Retry-After header for REST
  • Use X-Shopify-Shop-Api-Call-Limit to monitor
  • For GraphQL, check extensions.cost in response

Pagination

Use cursor-based pagination in GraphQL:

products(first: 5, after: "cursor")

REST uses page_info and rel=next headers:

Link: <https://...&page_info=abc>; rel="next"

Never use page=2 - it’s deprecated.

Webhooks Integration

Use webhooks to stay reactive:

  • orders/paid
  • products/update
  • customers/create

Verify requests using HMAC SHA256 with your secret key:

crypto.createHmac("sha256", secret).update(body).digest("base64")

API Retry & Error Strategy

  • Retry on 429 Too Many Requests and 5xx errors
  • Use exponential backoff (setTimeout(..., delay * 2))
  • Log failed attempts with full payload

Secure Your Requests

  • Always use HTTPS
  • Sanitize all incoming params
  • Avoid passing full tokens in URLs

Real-World Example

In a logistics integration for a jewellery brand:

  • Orders pushed to third-party warehouse via REST
  • Stock synced back via webhook triggers
  • GraphQL used for dashboard queries

Need Shopify help? I work with retailers and agencies across Liverpool and Merseyside. Learn more about my Shopify services or get in touch.