§ 01 · the five surfaces

A Shopify app lives on five surfaces. Not one.

The word “Shopify app” hides five very different things. An admin extension is not a storefront block. A checkout UI extension is not a Shopify Function. A webhook consumer is not an embedded app. Each surface has its own API contract, its own review path, its own billing model, and its own failure mode. The first decision in every engagement is which surfaces your app actually needs. Most apps need two. Some need all five. Very few genuinely need one.

Editorial cross-section diagram of the five Shopify app extension surfaces: admin, online store, checkout, Shopify Functions, and webhooks. Each surface labeled with its extension point and a small amber orb marking the Shopify Functions surface as where the app's own business logic runs. — Fig. 1 · *five surfaces* · the extension points a Shopify app actually uses

surface 01 · admin

Merchant-facing pages.

Embedded in the Shopify admin via App Bridge 4. Polaris UI, session-token authentication, Admin GraphQL for data. The first surface every public app ships against.

surface 02 · online store

Theme app extensions.

App blocks drop into a merchant's theme without editing Liquid. Announcement bars, product recommendations, reviews, pop-ups. Scoped asset loading so the storefront stays fast.

surface 03 · checkout

Checkout UI Extensions.

The Plus-only surface. Upsells, delivery instructions, validation rules, custom payment fields. Replaces the deprecated checkout.liquid customization surface entirely.

surface 04 · Shopify Functions

Rust or JS that Shopify runs.

Discount, delivery, payment customization, and cart validation that executes inside Shopify's own servers. Lower latency than a webhook round-trip. The Plus-only logic surface.

surface 05 · webhooks

Event-driven to your infra.

Orders, customers, inventory, fulfilment events pushed to your backend. Plus three mandatory compliance webhooks every public app must answer. Idempotent, retried, signed.

the right mix

Most apps use two or three.

A subscription app uses admin + webhooks + billing. A bundling app uses admin + theme extension + Functions. A loyalty app uses admin + theme extension + checkout extension. The scoping question is never “build an app” — it is always “which surfaces.”

§ 02 · liquid · function · extension · app

Four ways to extend Shopify. Pick the lightest one that works.

Every Shopify extension request can be answered with a theme-Liquid tweak, a Shopify Function, a Checkout UI Extension, or a full app. The lightest answer wins. Here is the decision matrix we walk every buyer through before we touch an API token.

	Theme Liquid	Shopify Function	Checkout UI Extension	Full App
where it runs	storefront render	Shopify's servers	checkout iframe	your backend + Shopify admin
merchant access	any Shopify plan	Plus-only (most types)	Plus-only	any plan, app review required for public
typical build time	hours to days	1–3 weeks	2–6 weeks	6–16 weeks
best for	visual + content changes	discount, delivery, payment logic	upsell, validation, custom fields at checkout	merchant workflows, SaaS apps, heavy data
wrong for	any logic beyond Liquid filters	anything with a UI	non-Plus stores	simple one-off tweaks

Most “we need an app” briefs we scope end up as a Function plus a checkout extension. That is the answer more often than a full app.

§ 03 · the extension surface

Every app is a contract with one or more surfaces.

Fourteen seconds. Five surfaces. The tour walks through each extension point Shopify exposes, what the contract looks like, and what it is actually for — admin, online store, checkout, functions, webhooks.

Fig. 2 · five surfaces tour · each extension point Shopify exposes, one at a time

§ 04 · three paths, three go-to-market contracts

Public, custom, or private. Pick the distribution your business actually needs.

The engineering is 80% shared. The go-to-market is entirely different. Private apps never hit the App Store. Custom apps reach a named set of merchants. Public apps take the review path and compound as a SaaS business. Pick the contract first; the build follows.

path 01 · private

Private app, one store.

Installed on a single Shopify store. No App Store review. No listing assets. Access scoped to that one shop's Admin API credentials. The right path when the extension serves a specific merchant's workflow and has no SaaS intent.

✓6 to 10 weeks end-to-end
✓Custom Admin UI via App Bridge
✓Admin GraphQL + webhooks
✓No Billing API needed
✓Documentation + handoff kit

for: single-merchant workflows, internal tools

path 02 · custom

Custom app, named merchants.

Distributed to a small set of named stores via custom distribution, without App Store review. Good for agencies running the same app across a client roster and for Plus merchants sharing tooling across brands under one parent.

✓8 to 12 weeks end-to-end
✓OAuth + install flow
✓Multi-tenant database per shop
✓Partner dashboard under your account
✓Optional Billing API

for: agencies + multi-brand Plus groups

path 03 · public

Public app, App Store launch.

Listed on the Shopify App Store. Goes through the review path. Monetized through the Billing API. The path for founders building a SaaS around a Shopify extension. Commercially the most upside, operationally the most gates.

✓10 to 16 weeks to live in the App Store
✓Mandatory compliance webhooks
✓Billing API with recurring + usage
✓Full App Store Gate pre-submission pass
✓Listing assets + support resources

for: app founders, SaaS businesses on Shopify

A public app is not always the right answer. We build the private or custom path whenever the math and distribution support it.

§ 05 · the 2026 Shopify stack we ship

The stack has moved. Most agencies are on the old one.

Most Shopify app service pages still lead with Polaris, Node, and REST. That stack shipped in 2021. Here is the stack we actually ship against in 2026 and why each piece earns its place. Every layer references the current Shopify app development docs and Shopify's official Remix starter template.

layer 01 · framework

Shopify Remix template.

The default for every new public app. Session handling, webhook routing, billing integration, and Partner-ready config come out of the box. We only deviate for apps that need to run on Cloudflare Workers or a non-Node runtime.

Remix · Vite · TypeScript · Prisma

layer 02 · API

Admin GraphQL API.

GraphQL over REST for almost everything. Cost-based rate limiting means we plan queries around calculated cost, use bulk operations for large catalog reads, and batch mutations through @defer or fragments where possible.

Admin GraphQL · Storefront API · Customer Account API

layer 03 · UI

App Bridge 4 + Polaris.

Session-token auth, Web Component-based, no more iframe message-passing ceremony. Polaris design tokens for every surface so the app reads as native admin UI. App Bridge 1 and 2 are deprecated; we reject briefs that insist on them.

App Bridge 4 · Polaris tokens · Web Components

layer 04 · logic

Shopify Functions + Extensions.

Rust when latency matters, JavaScript when iteration speed matters. Cart, checkout, discount, delivery, payment, and validation logic now run inside Shopify itself rather than across a webhook boundary.

Rust · JavaScript · Checkout UI Extensions · Functions API

Stack picks change every 12 months. We rewrite this section every quarter; these are the calls we are making in 2026-Q2.

§ 06 · the App Store Gate

Before we submit, we run the gate.

The App Store Gate is our six-point pre-submission checklist. It maps onto the reasons Shopify actually rejects apps, in the frequency we have seen them reject. Every public app we ship clears the gate before it reaches a reviewer. First-pass approval rate on apps we submit sits above 80%. We cross-reference every check against Shopify's official app requirements checklist.

gate 01 · webhooks

Compliance webhooks live.

customers/data_request, customers/redact, shop/redact. HMAC-verified, idempotent, 200 OK under 5 seconds. The single most common rejection reason.

tooling: webhook test runner · Shopify CLI

gate 02 · OAuth

Token + scope discipline.

Minimum scopes requested. Offline tokens for background work, online tokens for merchant sessions. Secure storage, tested refresh. Over-scoped apps fail review.

tooling: scope diff · session lint

gate 03 · embedding

App Bridge 4 clean.

Every admin page embedded via App Bridge 4 Web Components. Session-token auth for every server call. No legacy iframe postMessage patterns anywhere in the codebase.

tooling: App Bridge DevTools · Polaris linter

gate 04 · billing

Billing API wired correctly.

Recurring, usage, or one-time correctly modelled. TrialDays handled. Upgrade and downgrade tested. Merchant-side billing events confirmed. Silent billing is the rejection reason nobody sees coming.

tooling: Partner Billing sandbox

gate 05 · performance

Speed + rate limits.

Admin pages under 3 seconds, webhook handlers under 5 seconds, GraphQL queries within cost budget, 429 backoff respected, bulk operations used for large catalog reads.

tooling: k6 · Lighthouse · GraphiQL cost

gate 06 · listing

Store listing ready.

Outcome-first copy, five screenshots at the required resolution, demo video, correct category, pricing with trial details, support URL and privacy policy live. Listing failures cost a full cycle.

tooling: listing preview · copy review

The gate adds roughly a week to every public app build. It pays itself back the first time the app clears review without a resubmission cycle.

§ 07 · monetization is engineering

The Billing API shapes your ARR curve.

Shopify's Billing API is the only way a public app charges merchants. The billing model you pick on day one decides churn, payback, and forecastability for the life of the app. Four models, four very different ARR curves.

01

Flat recurring subscription.

A fixed monthly price per installed shop. The simplest to build, the easiest to forecast, the most honest for merchants. The right starting model for most feature-focused apps. TrialDays handles free trials cleanly; upgrade and downgrade require explicit billing events.

fits: productivity apps, analytics dashboards, workflow automation
02

Usage-based billing.

Charge per unit consumed — orders processed, emails sent, AI generations, GB transferred. Creates an ARR curve that compounds with merchant growth. Requires careful metering, usage capping for merchants who ask for it, and transparent invoicing or trust breaks.

fits: messaging apps, AI-powered apps, review platforms, shipping tools
03

Tiered plans with overage.

Starter / Growth / Plus tiers, each with its own feature set and quota, plus usage overage per tier. The commercial default for apps crossing $1M ARR. Lets smaller merchants stay affordable while letting larger merchants pull the pricing ceiling upward.

fits: review apps, subscription managers, marketing platforms
04

One-time + app credits.

One-time charges or prepaid credits that burn down with use. Works for transactional apps where per-use pricing is cleaner than subscription. Shopify handles the billing surface; we handle the credit ledger and expiry rules.

fits: design packs, setup services, one-shot data imports, AI content batches

The billing model is the hardest thing to change post-launch. We scope the model with you in week one of every public app build.

§ 08 · BFCM-hardened app builds

Your app will be tested on Black Friday.

Peak-load is not a future problem. A Plus merchant hitting 10,000 orders per hour on Black Friday will surface every weakness in your webhook handler, your rate-limit strategy, and your database. Here is what we engineer into every app destined for a Plus merchant before November.

01 · webhook queue

Webhooks go through a persistent queue (SQS, Redis Streams, or equivalent) with idempotency keys. 200 OK returns in under 500ms; actual processing is deferred. Shopify retries for 48 hours and we reconcile anything that slipped.

02 · rate-limit budget

GraphQL calls planned around cost-based rate limits. Bulk operations for catalog-wide reads. Exponential backoff with jitter on 429s. Load-tested at 3× forecasted peak before November.

03 · database discipline

Connection pooling sized for peak. Read replicas for every merchant-facing query. Indexed on the columns BFCM actually hits (shop ID, order ID, customer ID). No N+1s that only show up at scale.

04 · load test + freeze

k6 load test at 3× forecasted peak, two weeks before BFCM. Code freeze 14 days before Black Friday. On-call rotation from Black Friday through Cyber Monday. A small dashboard that tells us what broke before a merchant opens a support ticket.

§ 09 · security + compliance posture

Merchant data is the only thing that matters to Shopify reviewers.

A Shopify app is effectively a custodian of a merchant's customer, order, and PII data. Our security baseline covers the requirements Shopify's review will test, the requirements a Plus merchant's procurement team will test, and the requirements a Plus merchant's legal team will test. Three overlapping but distinct checklists.

checklist 01

Shopify review baseline.

✓Mandatory compliance webhooks live
✓HMAC verification on every webhook
✓Minimum OAuth scopes
✓Privacy policy live and linked
✓Session-token auth on every server call

checklist 02

Procurement baseline.

✓Data region selectable (US / EU / IN)
✓Encryption in transit and at rest
✓SOC-2 Type II roadmap documented
✓Disaster recovery and RPO/RTO stated
✓Vendor questionnaire answered in 72 hours

checklist 03

Legal baseline.

✓DPA signable with Plus merchants
✓GDPR Article 28 subprocessor list
✓Sub-processor change notification flow
✓Data-retention policy enforced in code
✓Right-to-erasure workflow tested quarterly

§ 10 · proof

Three shipped apps, three different contracts.

A short field note from three app engagements shipped in the last 18 months: one private custom app, one public App Store app, one Plus Shopify Function. Numbers are real, brands named with permission.

emani

Private Admin app for ingredient-data governance.

8 weeks · private app

Beauty merchant needed one place to manage INCI ingredient data across 200 products and propagate it into metafields for every regional storefront. Built a private admin app with Polaris + App Bridge 4, Admin GraphQL for metafield writes, and a webhook subscription to products/update that kept the admin view in sync with merchandising changes. No App Store involvement.

200

products in scope

-74%

data entry time

4

regional storefronts

noble paris

Public App Store app for editorial homepage blocks.

14 weeks · public app

Shipped a public App Store app for editorial theme blocks on Shopify's Remix template. Mandatory compliance webhooks, Billing API with flat $19 and $49 tiers, theme app extensions for the storefront blocks, Polaris admin for configuration. Cleared App Store review on first submission after running the App Store Gate pass. Now used by 400+ merchants across the US, UK, and AU.

1

review cycle

400+

installed stores

3

billing tiers live

big game sports

Plus Shopify Function for tiered shipping.

5 weeks · Plus function

Plus merchant needed tiered shipping rules that Shopify's native rate rules could not express (cart value × weight × region tier × member status). Replaced a webhook-based delivery app with a Rust Shopify Function that runs inside Shopify's checkout servers. Checkout latency dropped, a $2,400/month app fee disappeared, and the shipping logic now survives every Shopify checkout upgrade automatically.

-280 ms

checkout latency

-$2.4K/mo

app costs replaced

Rust

function runtime

§ 11 · the fit check

We turn down app briefs regularly.

An app built against the wrong brief ships something neither side wanted. Here is the honest filter we run on every intro call before a scoped quote leaves our inbox.

we're right for you if

✓Clear business outcome for the app (revenue, operations, merchandising)
✓Willing to scope which of the five surfaces the app actually needs
✓Public app route: realistic on 10–16 weeks and review cycles
✓Ready to own the Shopify Partner account and GitHub repo
✓Decision-maker available for weekly product review
✓Budget scoped against engagement shape, not a fixed cap

we're wrong for you if

×Want a clone of an existing App Store app
×Need an app to “disrupt the App Store” without a specific wedge
×Expect a public app to pass review in under 6 weeks
×Insist on App Bridge 1 or 2 to match an older codebase
×Treat compliance webhooks as a post-launch task
×Cannot clarify whether the app is public, custom, or private

what we commit

You own the Partner account, the GitHub repo, the Billing API revenue, and every component, API route, database schema, and design asset. On day one and on exit. 30-day support tail at close, no proprietary tech to lose access to, no ongoing licensing. The app is yours, always.

§ 12 · four shapes of app work

Four shapes of engagement.

Pick the shape that matches the moment. We confirm fit on the intro call and send a scoped quote within 48 hours. Scope moves the price, not the conversation.

scope

App discovery + scoping

2 weeks

API surface map, rate-limit model, data contract, billing model selection, mandatory webhook plan, App Store listing plan, build-or-buy recommendation. Refundable against any build that follows.

for · founders scoping an MVP

build private

Private / custom app

6–10 weeks

Single-merchant or custom-distribution app. Admin UI, Admin GraphQL, webhooks, optional billing. No App Store review. Internal handoff kit, Partner dashboard transfer at close.

for · one merchant or a named roster

most picked

build public

Public App Store app

10–16 weeks

Full Remix-template build, mandatory compliance webhooks, Billing API, App Bridge 4, Polaris UI, theme app extensions if needed, App Store Gate submission pass, listing assets, and the launch.

for · app founders, SaaS launches

plus logic

Checkout extension + function

4–8 weeks

Plus-only engagement. Checkout UI Extensions, Shopify Functions in Rust or JS, validation rules, custom discount and delivery logic. Replaces checkout.liquid customizations cleanly.

for · Plus merchants past Liquid

Quotes sent within 48 hours of an intro call. No proprietary tooling, no licensing fees, no code held hostage on exit.

§ 13 · questions

Nine answers.

What is Shopify app development?

Shopify app development is the practice of building software that extends the Shopify platform through one of five official surfaces: the admin (merchant-facing pages), the online store (theme app extensions and app blocks), checkout (Checkout UI Extensions), Shopify Functions (discount, delivery, and payment logic that runs inside Shopify), and webhooks (event-driven integrations with your own infrastructure). An app can be public (listed on the Shopify App Store), custom (distributed privately to named merchants), or private (installed on a single store).

Public, custom, or private app — which is right for my business?

A private app is right when one specific merchant needs a bespoke tool and distribution is not a concern. A custom app is right when a small handful of named merchants need the same extension and you want to skip App Store review while retaining Shopify's install and auth infrastructure. A public app is right when the intent is to reach the Shopify App Store, build a SaaS business around the extension, and monetize through the Billing API. The three paths share most of the engineering but have very different scoping, billing, and go-to-market contracts.

How much does it cost to build a custom Shopify app?

Price is scoped to the shape of the engagement rather than a fixed rate card. Private custom apps typically run 6 to 10 weeks. Public App Store MVPs including submission typically run 10 to 16 weeks. Plus checkout extensions or Shopify Functions typically run 4 to 8 weeks standalone. The App Discovery and Scoping engagement runs 2 weeks and is refundable against any build that follows. We send a scoped quote within 48 hours of a 30-minute call; scope moves the price, not the conversation.

How long does Shopify App Store review take and how often do you pass first time?

Shopify's stated review window is 5 to 10 business days for a first submission; in practice it runs 7 to 14 business days including back-and-forth. Our first-pass approval rate on public apps we have submitted is above 80%. We pass on the first attempt when we run the App Store Gate, a six-point pre-submission checklist that catches the rejection reasons we see most often: missing compliance webhooks, over-scoped OAuth, App Bridge 4 gaps, incorrect billing handling, performance failures, and listing-asset misses.

What languages and frameworks do you use for Shopify apps?

We default to Shopify's Remix template for new public apps, Node with TypeScript for private and custom apps, and Rust or JavaScript for Shopify Functions. UI is Polaris with App Bridge 4 for admin surfaces and the Checkout UI Extensions API for checkout. Data access is the Admin GraphQL API in nearly every case; REST only for the narrow endpoints that have not moved to GraphQL. We hold against a hosting stack of Oxygen, Fly.io, Vercel, or Railway depending on the app's latency and webhook-volume profile.

Can you migrate a checkout.liquid customization to Checkout UI Extensions?

Yes, and it is one of our most-requested Plus engagements. Shopify has set a hard deprecation deadline for checkout.liquid customizations; every Plus merchant running script-tag or liquid-based checkout modifications needs them rebuilt as Checkout UI Extensions and, where logic-heavy, Shopify Functions. We scope the migration against the existing customization surface in week one, build the extensions against the Checkout Extensibility sandbox in weeks two through four, and ship behind a feature flag before the deprecation cutoff. Typical timeline is 4 to 8 weeks.

How do you handle the mandatory GDPR compliance webhooks?

Every public app we ship wires the three mandatory compliance webhooks on day one: customers/data_request, customers/redact, and shop/redact. Each handler verifies the HMAC signature, responds within 5 seconds with 200 OK, and writes an audit record with the customer ID or shop ID, the request timestamp, and the resulting action taken. Missing or silent compliance webhooks is the single most common App Store rejection and the one that costs the most days on resubmission; we treat it as a launch gate, not a launch task.

Can Shopify apps work with a Hydrogen or headless storefront?

Yes, with two architectural notes. Traditional theme app extensions do not render in a Hydrogen storefront; the equivalent is a React component in the Hydrogen codebase that consumes your app's Storefront API or a custom API. The Customer Account API gives app-installed personalization that works across Liquid and Hydrogen storefronts. Admin-side extensions and Shopify Functions are identical across Liquid and headless; only the storefront rendering path changes.

What happens on day one and on exit — who owns the app code?

You do. The app lives in a private GitHub repository under your organization, the Shopify Partner Dashboard sits under your account, the Billing API revenue flows to you, and every Figma file, component, and database schema is yours. On exit we transfer Partner ownership, hand over a written component library and deployment runbook, record a Loom walkthrough, and leave a 30-day support tail for questions. We do not gate access to force retention; if we are the right partner, you renew because the work is good, not because the code is hostage.

Start with an app scoping call.

30 minutes to map the surfaces your app needs, the distribution path that fits, and the billing model that will hold. We follow up with a scoped quote within 48 hours.

Book a 30-minute app scoping call See Shopify Plus

related services