Developer guide

Shopify App Bridge
Embedded apps, explained.

App Bridge is what makes an app feel native inside the Shopify admin — handling authentication, navigation, and admin UI. This guide covers what it is, how to load it, session tokens, web components, and the issues that break embedded apps.

11 min read · Updated June 2026

On this page (8)
  1. What App Bridge is
  2. Why embedded apps need it
  3. How to load App Bridge
  4. Session token authentication
  5. Web components & UI
  6. Common App Bridge issues
  7. How AI builders set it up
  8. FAQ

1. What App Bridge is

Shopify App Bridge is a JavaScript library that connects an embedded app — one that loads inside the Shopify admin — to the admin around it. Most Shopify apps are embedded: when a merchant opens your app, it appears inside the Shopify admin interface, not on a separate website. App Bridge is what makes that integration work.

Technically, an embedded app runs inside an iframe within the Shopify admin. The iframe is sandboxed from the surrounding page, so your app can't directly touch the admin's navigation, show native toasts, or open admin modals. App Bridge is the controlled channel that lets it do those things — the bridge between your app's iframe and the Shopify admin.

It handles several jobs: issuing session tokens for backend authentication, integrating your app's navigation with the admin, and providing UI elements (title bars, navigation menus, toasts, modals, resource pickers) that render in the admin outside your iframe so the app feels native.

The one-line summary

App Bridge makes your app feel like part of Shopify rather than a website stuffed in a frame. Without it, an embedded app technically loads but is disconnected from the admin — broken navigation, failed authentication, and no native UI.

2. Why embedded apps need App Bridge

Because an embedded app lives in a sandboxed iframe, several things that work on a normal website don't work — and App Bridge solves each:

  • Authentication: Cookies are unreliable in the embedded iframe context. App Bridge issues short-lived session tokens instead, which authenticate your frontend's requests to your backend.
  • Navigation: Your app's internal navigation needs to integrate with the admin's URL and history so the back button and deep links work. App Bridge coordinates this.
  • Native UI: Toasts, modals, the contextual save bar, and the resource picker need to render in the admin outside your iframe. App Bridge web components do this.
  • Admin actions: Launching admin workflows (like picking a product) requires communicating with the admin. App Bridge APIs expose these.

This is precisely why generic AI builders and developers new to Shopify produce broken embedded apps: they build a standalone web app that works fine on its own domain but, dropped into the Shopify admin iframe without App Bridge, fails on authentication and navigation. App Bridge isn't optional for embedded apps — it's the foundation.

3. How to load App Bridge

The current App Bridge is loaded with a script tag and configured with a single meta tag — far simpler than older versions. In your app's HTML <head>:

  • Add a meta tag with your app's client ID: <meta name="shopify-api-key" content="YOUR_CLIENT_ID">
  • Add the App Bridge script from Shopify's CDN: <script src="https://cdn.shopify.com/shopifycloud/app-bridge.js"></script>

Because the script is CDN-hosted, your app always loads the latest App Bridge version automatically — you don't pin or bundle a version. Once the script tag is present, setup is complete. You access App Bridge functionality through a global shopify object, or in React via the useAppBridge hook.

No more manual initialization

Earlier App Bridge versions (3.x) required calling createApp() with a config object, and App Bridge React required wrapping your app in a <Provider>. The current version removed all of that — the script tag handles initialization. If you find tutorials using createApp() or a Provider, they describe the old approach. The modern setup is just the script tag and meta tag.

Watch for outdated tutorials

App Bridge changed significantly. A lot of older content (and generic AI training data) shows the 3.x pattern with createApp() and Providers. Following that on a new app leads to confusing errors. The current approach — CDN script tag, no manual init, the shopify global — is what to use. Shopify CLI-scaffolded apps include the script automatically.

4. Session token authentication

Session tokens are how an embedded app proves to its own backend that a request is genuine. They're the embedded-app replacement for cookie sessions, which don't work reliably in the iframe.

How they work

A session token is a short-lived JWT issued by App Bridge, representing the current authenticated admin session. When your frontend makes a fetch request to your backend, App Bridge — once the script is set up — automatically appends an Authorization: Bearer <token> header. Your backend verifies the token's signature and claims to confirm the request came from your authenticated app, then processes it.

Retrieving a token manually

You can also get a token explicitly when you need one — for example with await shopify.idToken() in your frontend — and attach it to a request yourself. This is useful when you're not relying on App Bridge's automatic header injection, or for custom fetch logic.

Why this matters for security

Session tokens are short-lived and verified on every request, which is what keeps embedded apps secure. An app that tries to use long-lived cookies or skips token verification has a security gap (and breaks in the iframe). Correct session token handling — frontend issuing tokens, backend verifying them — is a core part of a properly built embedded app.

5. Web components and admin UI

App Bridge provides web components that let your app control parts of the Shopify admin outside your iframe, so the app feels native. While your app's own UI is built inside the iframe (typically with Shopify's Polaris design system), App Bridge web components handle the surrounding admin chrome.

  • Navigation menu: add your app's navigation links to the admin so merchants move between your app's sections natively.
  • Title bar: set the page title and primary actions that appear in the admin's title area.
  • Save bar: manage the contextual save bar that appears when there are unsaved changes.
  • Toasts: show native admin toast notifications for feedback.
  • Modals: open modal dialogs that render at the admin level, not trapped inside your iframe.
  • Resource picker: launch Shopify's native picker for selecting products, collections, or variants.

These are accessed through the shopify global object (or useAppBridge in React). Using them is what makes the difference between an app that feels bolted-on and one that feels like a native part of the Shopify admin.

6. Common App Bridge issues

When an embedded app misbehaves, App Bridge is usually involved. The frequent culprits:

  • App Bridge not loaded: the script or meta tag is missing or misconfigured. The app renders but authentication and navigation fail. Symptom: backend requests are unauthorized, navigation doesn't sync.
  • Wrong API key: the shopify-api-key meta tag doesn't match your app's client ID. App Bridge can't identify your app.
  • Using the old API: code written for App Bridge 3.x (createApp, Provider) against the current version. Leads to errors or no-ops.
  • Backend not verifying tokens: the frontend sends session tokens but the backend doesn't verify them, either rejecting valid requests or (worse) accepting unverified ones.
  • Cross-origin fetch without allowlisting: if your app calls a domain other than its own origin, you must allowlist it so App Bridge attaches auth headers.

Nearly all of these come down to setup. A correctly configured App Bridge — script tag, matching API key, current API, backend token verification — eliminates the entire class of embedded-app brokenness.

7. How AI builders set up App Bridge

App Bridge setup is one of the five things generic AI builders and inexperienced developers consistently get wrong — they produce a standalone web app with no App Bridge, which breaks the moment it loads inside the Shopify admin.

A Shopify-specific builder like Shopivibe generates apps with App Bridge correctly set up: the CDN script tag and API key meta tag in the document head, session token authentication wired between frontend and backend, and the current (not deprecated) App Bridge API. Because the generation is grounded in Shopify's current documentation, it uses today's script-tag setup rather than the outdated createApp pattern that older training data favors.

You own the resulting code, so you can add App Bridge web components (a custom nav menu, a resource picker) as your app grows. But you start from a correctly embedded app that authenticates and navigates properly inside the Shopify admin — not a standalone web app you have to retrofit.

8. FAQ

What is Shopify App Bridge?
App Bridge is Shopify's JavaScript library that lets an embedded app — one that loads inside the Shopify admin — communicate with the admin around it. It handles session token authentication, navigation menus, title bars, toasts, modals, and resource pickers, so your app feels native inside Shopify. Embedded apps run in an iframe, and App Bridge is the bridge between your app and the surrounding admin.
How do I add App Bridge to my app?
Add the app-bridge.js script to your HTML head, along with a meta tag containing your app's client ID. For example: a <meta name="shopify-api-key" content="YOUR_CLIENT_ID"> tag and a <script src="https://cdn.shopify.com/shopifycloud/app-bridge.js"> tag in the <head>. Because it's loaded from Shopify's CDN, you always get the latest version. The current App Bridge needs no manual initialization — the script tag does the setup. Access its APIs through the global 'shopify' object, or the useAppBridge hook in React.
Do I still need to initialize App Bridge manually?
No. Earlier versions of App Bridge required manual initialization with createApp() and a config object, and App Bridge React required a Provider component. The current App Bridge removed all of that — adding the app-bridge.js script tag handles setup automatically. If you see tutorials using createApp() or <Provider>, they're for the older 3.x version; the current approach is just the script tag.
What are App Bridge session tokens?
Session tokens are short-lived JWTs that authenticate requests from your app's frontend to your backend. When App Bridge is set up, it automatically appends an Authorization header (Bearer token) to fetch requests your frontend makes to your backend. Your backend verifies this token to confirm the request came from your authenticated app. You can also retrieve a token manually with shopify.idToken(). This replaces cookie-based sessions, which don't work reliably in the embedded iframe context.
Why does my embedded app load but feel broken?
The most common cause is App Bridge not being set up correctly. Without it, the app renders inside the iframe but navigation doesn't integrate with the admin, session tokens aren't issued (so backend auth fails), and admin UI elements like toasts and the save bar don't work. The app looks like it loaded but breaks on interaction. Correct App Bridge setup fixes this.
Does my app need App Bridge if it's not embedded?
Only embedded apps (those that load inside the Shopify admin) need App Bridge — and embedded is the standard, expected pattern for merchant-facing apps. A purely external app that merchants visit at your own domain wouldn't use App Bridge, but that's an unusual pattern for Shopify apps. Most apps are embedded and therefore need App Bridge.
Do AI-built apps set up App Bridge correctly?
A Shopify-specific builder like Shopivibe generates apps with App Bridge loaded correctly — the script tag, the API key meta tag, and session token authentication wired to the backend. Generic AI tools build standalone web apps that don't load App Bridge, so they break inside the Shopify admin. Correct App Bridge setup is one of the five things generic tools consistently miss.
Get started

Build your own
Shopify app with AI

Describe the Shopify app you need — in plain language. Shopivibe handles everything Shopify requires and ships you a production-ready app. The code is yours to keep.

Start building free →
No developer neededLive app in minutesFull code ownership