Saleor apps are separate applications that use GraphQL to talk to the Saleor server and receive webhooks with event notifications from Saleor. If the event payload lacks any data essential to the app, you can query additional data using GraphQL. In addition, the Saleor API exposes all the actions from the dashboard, so your app can fully extend your shop behavior.
Start building a Saleor app by learning about:
Saleor provides official integrations maintained and hosted in Saleor Cloud. They can be installed like any third-party app and they are accessible in Saleor Marketplace.
Types of apps
local: create a custom app instance and assign explicitly provided permissions. The app is fully manageable from the dashboard. You can change the assigned permissions and add webhooks or authentication tokens. With a
localapp, you can create an integration with some services which will parse the webhook payload.
If you're building a single service dedicated only to your shop, this solution will handle all your needs.
third-party: install the app in Saleor and proceed with all required steps to prepare the communication channel for the app.
Installation is fully automated. Saleor uses a defined app manifest to gather all required information. If installed successfully, the app gets the possibility to attach to the Saleor Dashboard over the iframe, communicate with Saleor over the API, and use webhooks to subscribe for the given events.
If you're building an app that will be published in the marketplace, this solution is dedicated to you.
The Saleor App Architecture was described in a series of articles starting with the "Communicating with apps".
The App access can be granularly assigned per-app basis. During installation, the user can choose which permissions to grant. Read permissions guide to learn more.
All requests from the dashboard view have the staff user JWT token so that additional permission checks can be done on the app side. The token contains permissions, being a common set of staff user and app permissions.
Verifying incoming payload - the secret key
To ensure that the incoming webhook payload is from a known host, Saleor adds the
Saleor-Signature header to the request. Read more.