Shopify integration

One OAuth click. Webhooks registered. Tracking live.

Cobalz is a native Shopify app that handles install, token vaulting, webhook registration, and storefront tracking automatically. No theme edits, no manual webhook config, no Shopify Pixel hacks.

Install on your store Setup walkthrough

What ships

Production-grade Shopify integration.

OAuth install

/api/shopify/install handles the consent → token exchange → vaulting flow. Per-shop access token in Supabase Vault.

Auto-registered webhooks

orders/paid, orders/cancelled, refunds/create, app/uninstalled. Idempotent registration, deduped at the platform.

HMAC verification

Every Shopify webhook validates X-Shopify-Hmac-Sha256 against your shared secret. Replay-protected.

Storefront tracker

Same t.js as WooCommerce. Loaded via Theme App Extension or App-installed ScriptTag, configurable.

Cart attribution

Tracker writes _cobz_sess into cart note_attributes. Webhook reads it back to join orders to clicks.

Coupon attribution

Discount codes you create in Shopify Discounts auto-attribute to the affiliate that owns the code.

Refund handling

refunds/create webhook applies the same clawback decision tree we use for WC.

App uninstall tombstone

app/uninstalled webhook flips merchant status to cancelled, suspending payouts.

Multi-store via partners

Agencies can install on every client store. Each gets its own merchant_id + Vault entry.

Setup

From "Install" to "first attributed sale" in two minutes.

1
Click Install in the Shopify App Store
Or paste your shop URL into the install URL we email you. Shopify takes you through the standard OAuth consent screen.
2
Approve scopes
read_orders / read_products / read_customers / write_discounts / write_script_tags / read+write_themes.
3
Webhooks register automatically
orders/paid, orders/cancelled, refunds/create, app/uninstalled. You don't touch the Shopify Webhooks tab.
4
Add the affiliate signup link
Drop /a/{your-slug}/signup into your footer or send to your existing affiliate list. Approve in our queue.
5
Watch the dashboard
The first attributed click appears in /m/{your-slug}/overview the moment a visitor with a ?ref= parameter lands on your storefront.

Detailed walkthrough →

Why pick Cobalz over Shopify-only competitors

Refersion + UpPromote can't do this.

Yes Mercury invoice payouts (no other Shopify app does this).
Yes Per-merchant Vault for tokens — your store's access token is never in our app DB.
Yes Standard Webhooks v1 outbound — drop-in svix-libs verification.
Yes WooCommerce + Shopify in one platform — agencies running both stop juggling tools.
Yes Documented OpenAPI 3.1 REST API — Refersion's API is undocumented and pre-1.0.
Yes Real refund clawback — Shopify-native apps mostly "void everything".

FAQ

Shopify questions.

Is this listed in the Shopify App Store?+

Listing is in progress (Q2 2026). For now, you can install via the direct OAuth URL we provide on signup — same scopes, same security review pending.

What scopes does the app request?+

read_orders, read_products, read_customers (for attribution), write_discounts (for auto-coupon generation), write_script_tags (for t.js injection), read_themes / write_themes (for theme app extension).

How does Shopify Subscriptions work?+

Native Shopify Subscriptions API and the major third-party apps (Recharge, Bold, Appstle) are on our Q2 2026 roadmap. Stripe Subscriptions billed through your Stripe account work today.

Does it support Shopify Plus?+

Yes. The same OAuth app installs on Plus stores. Plus-specific features (Shopify Functions, B2B catalogs) are not yet integrated but on the roadmap.

How is attribution tracked at checkout?+

The t.js tracker stamps _cobz_sess into note_attributes on the cart. Our orders/paid webhook reads it back and joins to the click. Pure first-party, no Shopify Pixel hack.

Install the Shopify app, free.

Up to 25 affiliates and 10k tracked clicks per month with no credit card.

Start free Read the docs