Implement the Shopify Customer Account API OAuth flow in a headless storefront to authenticate buyers without classic customerAccessToken

Verified steps

1. Register a Customer Account API client in the Shopify Partners dashboard under your app's Customer Account settings; configure the redirect URI to your storefront's callback route (e.g., /account/callback)
2. Generate a PKCE code_verifier and code_challenge (SHA-256 hash, base64url encoded) in the login route; store the code_verifier in the session and redirect the customer to the Shopify authorization URL with client_id, response_type=code, redirect_uri, scope, state, and code_challenge
3. In the callback route validate the returned state matches the session state (CSRF protection), then POST to the Shopify Customer Account API token endpoint with grant_type=authorization_code, code, redirect_uri, client_id, and code_verifier to exchange the code for access and refresh tokens
4. Store the access_token, refresh_token, and expires_at in an encrypted session cookie; the access_token is a JWT scoped to the customer's account — do not store it client-side
5. Use the access_token as a Bearer token in the Authorization header when calling the Customer Account API GraphQL endpoint to query customer orders, profile, and addresses
6. Implement token refresh: when expires_at is within a threshold, use the refresh_token with grant_type=refresh_token to get a new access_token before the current request fails