# Handle OAuth callback from Shopify

OAuth 2.0 callback endpoint that receives the authorization code from Shopify after customer authorization. This endpoint is called automatically by Shopify after the customer authorizes the app.

Flow:
1. Shopify redirects customer here with authorization code and state
2. Validates state parameter to prevent CSRF
3. Exchanges authorization code for access token using PKCE verifier
4. Validates ID token (JWT) from Shopify
5. Stores access token and refresh token securely
6. Redirects customer back to original return URL

Security:
- Validates state parameter matches stored value
- Uses PKCE code verifier to exchange authorization code
- Validates ID token signature and claims
- State expires after 10 minutes

Error Handling:
- If customer denies authorization, redirects with error parameter
- If token exchange fails, redirects with error parameter
- All errors are logged for debugging

Note: This endpoint should not be called directly - it's invoked by Shopify's OAuth redirect.

Endpoint: GET /subscriptions/cp/api/customer-account-api/oauth/callback
Version: 0.0.1

## Query parameters:

  - `code` (string)
    Authorization code from Shopify (if successful)
    Example: "abc123..."

  - `state` (string, required)
    State parameter for CSRF protection

  - `error` (string)
    Error code if authorization failed
    Example: "access_denied"

  - `error_description` (string)
    Human-readable error description


## Response 302 fields

## Response 400 fields