Security is non-negotiable when you're connecting multiple Shopify stores. MultiStore Sync uses a token-based pairing system that keeps things simple without compromising safety.
Why not shared API keys?
Sharing API keys between stores creates a sprawling attack surface. If one key leaks, all connected stores are at risk. Revoking it breaks every connection simultaneously.
How tokens work
When a server store generates a pairing token, it's a cryptographically random string stored as a hashed value in our database. The raw token is shown once and never stored in plaintext. When a client store submits the token to connect, we hash it and compare — if it matches, the connection is established and the token is invalidated.
HMAC webhook verification
Every webhook payload from Shopify is verified using HMAC-SHA256 before any processing occurs. The signature is computed using your app's client secret and compared against the X-Shopify-Hmac-Sha256 header. Payloads that fail verification are rejected immediately.
GDPR compliance
MultiStore Sync processes the minimum data necessary. We respond to Shopify's GDPR webhooks (customers/data_request, customers/redact, shop/redact) and permanently delete store data within 30 days of uninstallation.