shopify-prod-checklist
Execute Shopify app production deployment checklist covering App Store requirements, mandatory webhooks, API versioning, and rollback procedures. Trigger with phrases like "shopify production", "deploy shopify", "shopify go-live", "shopify launch checklist", "shopify app store submit".
Best use case
shopify-prod-checklist is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Execute Shopify app production deployment checklist covering App Store requirements, mandatory webhooks, API versioning, and rollback procedures. Trigger with phrases like "shopify production", "deploy shopify", "shopify go-live", "shopify launch checklist", "shopify app store submit".
Teams using shopify-prod-checklist should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/shopify-prod-checklist/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How shopify-prod-checklist Compares
| Feature / Agent | shopify-prod-checklist | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Execute Shopify app production deployment checklist covering App Store requirements, mandatory webhooks, API versioning, and rollback procedures. Trigger with phrases like "shopify production", "deploy shopify", "shopify go-live", "shopify launch checklist", "shopify app store submit".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Shopify Production Checklist
## Overview
Complete pre-launch checklist for deploying Shopify apps to production and submitting to the Shopify App Store.
## Prerequisites
- Staging environment tested and verified
- Shopify Partner account with app configured
- All development and staging tests passing
## Instructions
### Step 1: API and Authentication
- [ ] Using a stable API version (e.g., `2024-10`), not `unstable`
- [ ] Access token stored in secure environment variables (never in code)
- [ ] API secret stored securely for webhook HMAC verification
- [ ] OAuth flow tested with a fresh install on a clean dev store
- [ ] Session persistence implemented (database or Redis, not in-memory)
- [ ] Token refresh/re-auth handled for expired sessions
- [ ] `APP_UNINSTALLED` webhook handler cleans up sessions
### Step 2: Mandatory GDPR Compliance
- [ ] `customers/data_request` webhook handler implemented
- [ ] `customers/redact` webhook handler implemented
- [ ] `shop/redact` webhook handler implemented (fires 48h after uninstall)
- [ ] All three configured in `shopify.app.toml`
- [ ] Handlers respond with HTTP 200 within 5 seconds
- [ ] Customer data deletion actually works (test it!)
### Step 3: Webhook Security
- [ ] All webhooks verify `X-Shopify-Hmac-Sha256` using HMAC-SHA256
- [ ] Using `crypto.timingSafeEqual()` for signature comparison
- [ ] Webhook endpoints use raw body parsing (not JSON middleware)
- [ ] Idempotency: duplicate webhook deliveries handled gracefully
### Step 4: Rate Limit Resilience
- [ ] GraphQL queries optimized (check `requestedQueryCost` with debug header)
- [ ] Retry logic with exponential backoff for 429 / THROTTLED responses
- [ ] Bulk operations used for large data exports instead of paginated queries
- [ ] No unbounded loops that could exhaust rate limits
### Step 5: Error Handling
- [ ] All GraphQL mutations check `userErrors` array (200 with errors!)
- [ ] HTTP 4xx/5xx errors caught and logged with `X-Request-Id`
- [ ] Graceful degradation when Shopify is unavailable
- [ ] No PII logged (customer emails, addresses, phone numbers)
### Step 6: App Store Submission Requirements
- [ ] App listing has clear name, description, and screenshots
- [ ] Privacy policy URL provided
- [ ] App has proper onboarding flow for new merchants
- [ ] Embedded app uses App Bridge for navigation (no full-page redirects)
- [ ] CSP headers set: `frame-ancestors https://*.myshopify.com https://admin.shopify.com`
- [ ] App works on both desktop and mobile admin
- [ ] Loading states shown during API calls (no blank screens)
### Step 7: API Version Management
```bash
# Check which API versions your store supports
curl -s -H "X-Shopify-Access-Token: $TOKEN" \
"https://$STORE/admin/api/versions.json" \
| jq '.supported_versions[] | select(.supported == true) | .handle'
# Shopify deprecates versions ~12 months after release
# Set a calendar reminder to upgrade quarterly
```
### Step 8: Health Check Endpoint
```typescript
app.get("/health", async (req, res) => {
const checks: Record<string, any> = {};
// Test Shopify connectivity
try {
const start = Date.now();
await client.request("{ shop { name } }");
checks.shopify = { status: "ok", latencyMs: Date.now() - start };
} catch (err) {
checks.shopify = { status: "error", message: (err as Error).message };
}
// Test database
try {
await db.query("SELECT 1");
checks.database = { status: "ok" };
} catch (err) {
checks.database = { status: "error" };
}
const allHealthy = Object.values(checks).every((c: any) => c.status === "ok");
res.status(allHealthy ? 200 : 503).json({
status: allHealthy ? "healthy" : "degraded",
checks,
timestamp: new Date().toISOString(),
});
});
```
## Output
- All checklist items verified
- Health check endpoint operational
- GDPR compliance webhooks functional
- App ready for production traffic or App Store submission
## Error Handling
| Alert | Condition | Severity |
|-------|-----------|----------|
| Shopify API down | 5xx errors > 5/min | P1 - Critical |
| Auth failures | 401 errors > 0 | P1 - Token may be revoked |
| Rate limited | THROTTLED > 5/min | P2 - Reduce query cost |
| High latency | p95 > 3000ms | P2 - Check query complexity |
| Webhook failures | Delivery success < 95% | P2 - Check endpoint health |
## Examples
### Pre-Deploy Smoke Test
```bash
#!/bin/bash
echo "=== Shopify Pre-Deploy Smoke Test ==="
STORE="$SHOPIFY_STORE"
TOKEN="$SHOPIFY_ACCESS_TOKEN"
PASS=0; FAIL=0
# Auth test
if curl -sf -H "X-Shopify-Access-Token: $TOKEN" \
"https://$STORE/admin/api/2024-10/shop.json" > /dev/null; then
echo "PASS: Auth"; ((PASS++))
else
echo "FAIL: Auth"; ((FAIL++))
fi
# Scopes test
SCOPES=$(curl -sf -H "X-Shopify-Access-Token: $TOKEN" \
"https://$STORE/admin/oauth/access_scopes.json" | jq -r '.access_scopes[].handle')
for required in read_products read_orders; do
if echo "$SCOPES" | grep -q "$required"; then
echo "PASS: Scope $required"; ((PASS++))
else
echo "FAIL: Missing scope $required"; ((FAIL++))
fi
done
echo "---"
echo "Results: $PASS passed, $FAIL failed"
[ $FAIL -eq 0 ] && echo "READY FOR DEPLOY" || echo "FIX FAILURES FIRST"
```
## Resources
- [Shopify App Store Review Requirements](https://shopify.dev/docs/apps/launch/app-requirements)
- [GDPR Compliance Webhooks](https://shopify.dev/docs/apps/build/compliance/privacy-law-compliance)
- [API Versioning](https://shopify.dev/docs/api/usage/versioning)
- [Shopify Status Page](https://www.shopifystatus.com)
## Next Steps
For version upgrades, see `shopify-upgrade-migration`.Related Skills
workhuman-prod-checklist
Workhuman prod checklist for employee recognition and rewards API. Use when integrating Workhuman Social Recognition, or building recognition workflows with HRIS systems. Trigger: "workhuman prod checklist".
wispr-prod-checklist
Wispr Flow prod checklist for voice-to-text API integration. Use when integrating Wispr Flow dictation, WebSocket streaming, or building voice-powered applications. Trigger: "wispr prod checklist".
windsurf-prod-checklist
Execute Windsurf production readiness checklist for team and enterprise deployments. Use when rolling out Windsurf to a team, preparing for enterprise deployment, or auditing production configuration. Trigger with phrases like "windsurf production", "windsurf team rollout", "windsurf go-live", "windsurf enterprise deploy", "windsurf checklist".
webflow-prod-checklist
Execute Webflow production deployment checklist — token security, rate limit hardening, health checks, circuit breakers, gradual rollout, and rollback procedures. Use when deploying Webflow integrations to production or preparing for launch. Trigger with phrases like "webflow production", "deploy webflow", "webflow go-live", "webflow launch checklist", "webflow production ready".
vercel-prod-checklist
Vercel production deployment checklist with rollback and promotion procedures. Use when deploying to production, preparing for launch, or implementing go-live and instant rollback procedures. Trigger with phrases like "vercel production", "deploy vercel prod", "vercel go-live", "vercel launch checklist", "vercel promote".
veeva-prod-checklist
Veeva Vault prod checklist for REST API and clinical operations. Use when working with Veeva Vault document management and CRM. Trigger: "veeva prod checklist".
vastai-prod-checklist
Execute Vast.ai production deployment checklist for GPU workloads. Use when deploying training pipelines to production, preparing for large-scale GPU jobs, or auditing production readiness. Trigger with phrases like "vastai production", "deploy vastai", "vastai go-live", "vastai launch checklist".
twinmind-prod-checklist
Complete production deployment checklist for TwinMind integrations. Use when preparing to deploy, auditing production readiness, or ensuring best practices are followed. Trigger with phrases like "twinmind production", "deploy twinmind", "twinmind go-live checklist", "twinmind production ready".
together-prod-checklist
Together AI prod checklist for inference, fine-tuning, and model deployment. Use when working with Together AI's OpenAI-compatible API. Trigger: "together prod checklist".
techsmith-prod-checklist
TechSmith prod checklist for Snagit COM API and Camtasia automation. Use when working with TechSmith screen capture and video editing automation. Trigger: "techsmith prod checklist".
supabase-prod-checklist
Execute Supabase production deployment checklist covering RLS, key hygiene, connection pooling, backups, monitoring, Edge Functions, and Storage policies. Use when deploying to production, preparing for launch, or auditing a live Supabase project for security and performance gaps. Trigger with "supabase production", "supabase go-live", "supabase launch checklist", "supabase prod ready", "deploy supabase", "supabase production readiness".
stackblitz-prod-checklist
Production checklist for WebContainer apps: headers, browser support, fallbacks. Use when working with WebContainers or StackBlitz SDK. Trigger: "stackblitz production".