A secure token generation library for Shopify Multipass authentication. WinterTC compatible - works across all JavaScript runtimes including Cloudflare Workers, Deno, Node.js, and browsers.
Shopify provides a mechanism for single sign-on known as Multipass. Multipass uses an AES encrypted JSON hash to securely pass customer information to Shopify and automatically log users in. This library provides functions for generating these tokens using standard Web APIs.
Lightweight and dependency-free - uses only native Web Crypto APIs for all cryptographic operations.
npm install multipass-everywhereimport { Multipass } from "multipass-everywhere";
// Initialize with your Shopify Multipass secret
// The secret can be found in your shop Admin (Settings > Checkout > Customer Accounts)
const multipass = new Multipass("your-multipass-secret");
// Create your customer data hash
// The email and created_at fields are required
const data = {
email: "user@example.com",
first_name: "John",
last_name: "Smith",
tag_string: "vip",
return_to: "https://your-shop.myshopify.com/products/some-product",
};
// Encode data to a token
const token = await multipass.encode(data);
console.log(token);
// Generate a full Shopify login URL
const url = await multipass.generateUrl(data, "your-shop.myshopify.com");
console.log(url);
// Generates: https://your-shop.myshopify.com/account/login/multipass/{TOKEN}Note: The library automatically adds the required
created_attimestamp field.
To use Multipass with Shopify, an Enterprise / Plus plan is required. Make sure "Accounts are required" or "Accounts are optional" is selected and Multipass is enabled in your Shopify admin.
You can include the following fields in your customer data:
| Field | Description |
|---|---|
email |
Required. Customer's email address |
created_at |
Required. Current timestamp in ISO8601 format (added automatically) |
first_name |
Customer's first name |
last_name |
Customer's last name |
tag_string |
Comma-separated tags to apply to the customer |
return_to |
URL path within your store to redirect after login |
identifier |
Optional unique identifier if emails aren't unique |
addresses |
Array of customer addresses |
Note: The
remote_ipfield is deprecated and no longer supported by Shopify.
Multipass tokens are only valid for 15 minutes and can only be used once. You should always generate tokens on-the-fly when needed.
- Secure encryption using AES-CBC
- Token signing with HMAC
- Base64URL encoding for URL safety
- Works in browser and Node.js environments with Web Crypto API
- WinterTC compatible - uses standard Web APIs for cross-runtime compatibility
- Works in serverless environments like Cloudflare Workers
- Zero dependencies - small bundle size and fast loading
- Lightweight implementation using only native Web APIs
Vadym Rusin
MIT