In the extension's `shopify.extension.toml`, declare network access by adding the allowed domain(s) under the appropriate network access configuration block (verify the current TOML field name in Shopify Checkout UI Extension docs — it is typically under `[extensions.network_access]` or a capabilities block).
In your Shopify app, configure an app proxy URL (Shopify admin → App → App proxy) that maps a `/apps/<prefix>` path on the storefront domain to your app's backend endpoint — this is the recommended pattern to avoid CORS issues.
Inside the extension component, use the `fetch` capability provided by the extension API (verify via `useApi` whether a scoped fetch is available, or use the global `fetch` against your declared domain) to call your backend.
Pass the checkout session token or a signed request header from your extension to authenticate the request on the backend — do not expose Admin API credentials to the extension.
On the backend, validate the request signature and return only the data the extension needs — avoid proxying raw Admin API responses.
Test network calls via `shopify app dev` and check the browser network panel in the checkout editor preview for request/response details.
Known gotchas
Checkout UI Extensions enforce a strict content security policy. Fetch calls to undeclared domains are blocked at the sandbox level — there is no runtime error that reaches your code, the request simply fails. Declare all domains in the TOML before testing.
The app proxy appends `logged_in_customer_id` and other query parameters to proxied requests — use these for lightweight authentication but verify the HMAC signature on your server to confirm the request originated from Shopify.
Network calls in extensions add latency to the checkout experience. Cache backend responses aggressively and show a loading state in the UI; Shopify may time out or demote extensions that slow checkout performance.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp