Whitelisting domains in freshdesk

I am building an app for Freshdesk, I am using some APIs to fetch details from 3rd party service (Shopify) so I whitelisted those third-party domains inside the manifest.json file to avoid errors. But when I tried to use the API inside the app it throws an error “This domain has not been whitelisted”.

Whitelisted domains in the manifest.json file.

  "whitelisted-domains": [
    "https://*.freshdesk.com",
    "https://www.freshworksapps.com",
    "https://*.myshopify.com"
  ]

API endpoint URL (from where I am trying to get data) - https://addfd_api_key:asdf_passowrd@sample-store2.myshopify.com/admin/api/2021-07/orders.json
Shopify’s URL format is https://{apikey}:{password}@{hostname}/admin/api/{version}/{resource}.json.

Since the URL contains ‘:’ and ‘@’ I tried whitelisting with ‘:’,’@’.

  "whitelisted-domains": [
    "https://*.freshdesk.com",
    "https://www.freshworksapps.com",
    "https://*:*@*.myshopify.com"
  ]

But the above-whitelisted syntax throws an error: [ERROR] Whitelisted domains must not have more than one subdomain: https://:@*.myshopify.com.

let me if am missing anything.

Hi @Amaresh_S_M,

Both the methods that you have tried would not work for the API endpoint that you have shared. Ideally, using credentials in the API URL is not considered secure.

Since multiple dynamic attributes are used in the URL before the domain, I will get the right way to whitelist this domain or what alternative can be considered.

Could you share the API documentation link for the mentioned API and which authentication mechanism are you using here and why chose them?

Thanks @Raviraj Yes, In frontend using credentials in the URL is not secure, when we use client.request method the API call is initiated from the server I am right ? So I tried using that way. Also there is an alternative to this approach using Shopify-Access-Token.

Shpify API Documentation link - Basic HTTP authentication

@Amaresh_S_M Shopify also supports adding credentials in the Authorization header it seems. Were you able to try that out only with the store name in the URL?

Is the Shopify Access Token part of OAuth based on authentication? If so, it would not be supported for multiple stores, I assume. Could you validate that part as well if you would want to support multiple stores in Shopify?