Skip to main content

Shopify Cross-Platform Consent

For Shopify stores using TrueVault's CMP, cross-platform consent management on the web works automatically. This guide explains how the integration works under the hood. As long as you're using our CMP and have our Shopify app installed, you do not need to perform any additional setup. This article is about how cross-platform consent management works under-the-hood for our Shopify integration.

note

If you have a mobile app that is more than a web view around a Shopify site, there is additional integration that you will need to perform to enable cross-platform consent in your native app. Be sure to review our Mobile Apps (React Native Guide) to implement cross-platform consent in your native app.

How It Works

The TrueVault Shopify app uses Shopify's App Proxy feature to securely communicate consent preferences between your storefront and TrueVault's backend.

Request Flow

  1. Consumer loads your site: The CMP JavaScript loads on your Shopify storefront
  2. CMP requests consent data: The CMP makes a request to your store's proxy URL: 
    https://example-store.myshopify.com/apps/truevault/api/v1/cmp/consent?privacy_center_id=YOUR_TV_PRIVACY_CENTER_ID&provider=shopify&client_id=550e8400-e29b-41d4-a716-446655440000
  3. Shopify proxies the request: Shopify forwards the request to TrueVault's backend with authentication and information about the customer
  4. TrueVault returns consent data: If the consumer has existing preferences, they're returned and applied. Otherwise, a new record is created

Authentication

Our Shopify App Proxy automatically adds parameters to each request:

  • logged_in_customer_id: The Shopify customer ID (only present if customer is logged in)
  • shop: Your store's domain (e.g., example-store.myshopify.com)
  • signature: HMAC-SHA256 signature proving the request came from Shopify

These parameters attest that the request for a consumer's consent preferences is authentic and resulted from that customer visiting your website.

API Endpoints

GET https://example-store.myshopify.com/apps/truevault/api/v1/cmp/consent

Query Parameters

ParameterRequiredDescription
providerYesMust be shopify
privacy_center_idYesYour TrueVault privacy center ID
shopYesYour store domain (added by Shopify proxy)
logged_in_customer_idYesCustomer ID (added by Shopify proxy)
signatureYesHMAC signature (added by Shopify proxy)
client_idNoOptional UUID v4 identifier for the browser/device

Response

{
  "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "consentAnalytics": true,
  "consentAdvertising": false,
  "consentPersonalization": true,
  "consentTargetedAdvertising": false,
  "optedOut": false,
  "implicit": false,
  "isExisting": true
}

Response Fields

FieldTypeDescription
jwtstringJWT token representing this consumer
consentAnalyticsboolean | nullAnalytics consent preference
consentAdvertisingboolean | nullAdvertising consent preference
consentPersonalizationboolean | nullPersonalization consent preference
consentTargetedAdvertisingboolean | nullTargeted advertising consent
optedOutboolean | nullGlobal opt-out preference
implicitboolean | nulltrue if consumer hasn't explicitly set preferences
isExistingbooleantrue if this is an existing record, false if newly created

POST https://example-store.myshopify.com/apps/truevault/api/v1/cmp/consent

The CMP automatically sends POST requests when consumers update their preferences.

Request Body

{
  "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "consentAnalytics": true,
  "consentAdvertising": false,
  "consentPersonalization": true,
  "consentTargetedAdvertising": false,
  "optedOut": false
}

All consent fields are optional in the request body (only provide the fields being updated):

  • consentAnalytics
  • consentAdvertising
  • consentPersonalization
  • consentTargetedAdvertising
  • optedOut

Each field accepts true or false.

Response

Same structure as GET response, with updated values.

JWT Structure

TrueVault generates a JWT to represent each consumer in a privacy-preserving way.

JWT Payload

{
  "consumerIdentifier": "6789012345",
  "consumerPartition": "example-store.myshopify.com",
  "iat": 1699564800
}

JWT Properties

  • Algorithm: HS256 (HMAC with SHA-256)
  • Signing secret: Managed by TrueVault (not exposed to merchants)
  • Expiration: None in JWT itself; storage has a 180-day TTL for cookie consent records and retains opt-outs indefinitely
  • Encoding: Base64URL (RFC 4648)

The JWT is opaque to the CMP frontend—it's passed from GET to POST requests without being decoded client-side.

Security Features

Signature Verification

TrueVault verifies the Shopify signature on every request:

  1. Extract all query parameters except signature
  2. Sort parameters alphabetically
  3. Concatenate as key=value pairs
  4. Compute HMAC-SHA256 using Shopify API secret
  5. Compare with provided signature using timing-safe comparison

This ensures that requests genuinely originate from Shopify and haven't been tampered with.

Customer Authentication

The Shopify proxy only includes logged_in_customer_id when a customer is authenticated with your store. If this parameter is missing:

  • GET requests: Return 401 Unauthorized
  • POST requests: Cannot proceed without a valid JWT

In other words, only logged-in customers' consent preferences are persisted.

Data Storage and Retention

Storage Period

Consent records are stored for 180 days from the last update. Opt-out selections never expire. Each preference change resets the 180-day retention window for cookie consents.

Automatic Cleanup

TrueVault automatically deletes expired consent records. No manual cleanup is required.

Data Isolation

Each merchant's consent data is isolated using the shop domain as a partition key. This ensures that:

  • Customers from different stores cannot access each other's data
  • Data is organized efficiently for quick retrieval
  • Cross-store data leakage is prevented at the database level

Integration with CMP

The TrueVault CMP JavaScript handles all interactions with the consent API automatically:

  1. On page load: CMP checks for stored consent via GET request
  2. Applying preferences: If consent exists, preferences are applied to scripts
  3. Preference updates: When consumer changes settings, CMP sends POST request
  4. JWT management: CMP stores JWT in memory for the session

Merchants don't need to write any code—the integration works out of the box once the TrueVault app is installed.

Example: Complete Flow

Here's how the system works when a customer visits your store:

  1. Customer visits store from Device A

    • Not logged in → CMP shows default preferences
    • Customer creates account and logs in
    • Customer sets preferences: Analytics = true, Advertising = false

  2. CMP sends POST request

    {
      "jwt": "eyJhbGci...",
      "consentAnalytics": true,
      "consentAdvertising": false
    }

  3. TrueVault stores preferences

    • Links preferences to Shopify customer ID
    • Returns updated consent record

  4. Customer visits store from Device B

    • Logs in with same account
    • CMP sends GET request with logged_in_customer_id

  5. TrueVault returns stored preferences

{
  "jwt": "eyJhbGci...",
  "consentAnalytics": true,
  "consentAdvertising": false,
  "isExisting": true
}
  1. CMP applies preferences automatically
    • Analytics scripts load
    • Advertising scripts remain blocked

The customer experiences consistent privacy preferences across all devices without any additional action.

Last updated on