Apps & Plugins Architecture

Encryption at Rest

We use AES-256-CBC to encrypt sensitive credentials.

import { createCipheriv } from 'crypto';

const algorithm = 'aes-256-cbc';

const key = Buffer.from(process.env.ENCRYPTION_KEY, 'hex');

export function encrypt(text) {

const iv = crypto.randomBytes(16);

const cipher = createCipheriv(algorithm, key, iv);

// ... returns { iv, content }

}

User Client: Clicks "Connect Shopify".

Server Action: Redirects to shopify.com/oauth/authorize?scope=....

Callback: Shopify redirects back to /api/apps/callback/shopify with code.

Token Exchange: Server swaps code for access_token.

Encryption: Token is encrypted and saved to AppConnection.