Shapes provides the flexibility to either interact with the Omneo API directly, or to get creative with a separate backend or proxy.

Let's looks at a basic Shapes setup. We have a config below that will call the Omneo API directly, using a JWT to authenticate and a known user's profile_id to access their data:

    url: "https://api.{environment}",
    token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6...",
    profileId: "8c5a9509-scg2-43sg-aec2-a90de8jj9sg4",

This is a great way to get up and running quickly, but poses a number of questions around security and transparency for the user.

  • Can an end user guess or find another customer's profile_id and then access their data?
  • Is the token a general token, allowing access to system-critical endpoints?
  • Should an end user have visibility over Omneo as a brand, through the API URL?

Using a proxy

With any implementation of Shapes, we'd recommend abstracting the front end access to Omneo, through the use of a proxy. The proxy can act as a gatekeeper and also allows each system to govern access appropriately for logged in users - Without needing to involved Omneo in the identification of valid users etc.


Omneo's first party app for Shopify acts as a proxy for front end components, including Shapes. Shapes interacts with this plugin in the following way:

    url: "",
    token: "{{shopify_customer.metafields.omneo_token}}",
    profileId: "{{shopify_customer.metafields.omneo_id}}"

When a customer logs in to Shopify, a front-end script checks to determine if the customer has an omneo_token metafield. If they don't, the plugin will inject a short-term access token into the customer metafields. This token is then used to authenticate requests from Shapes, to the plugin. Once a profile has a short-term access token, it then uses this to authenticate all requests to the proxy.

The proxy then validates all requests internally and will use its own access token to pass on requests to the Omneo API, if they are valid.

Salesforce Commerce Cloud

The Omneo / SFCC Cartridge will determine the logged in user internally, allowing this detail to be obfuscated to the front end. When a user is logged in and Shapes make a request, the cartridge will find the logged in user's Omneo profile_id, then use its own Omneo API Token to proxy the Shapes request.

If the Omneo ID isn't present, the cartridge should make its own request to the Omneo API and attempt to find the customer's profile by email, or demandware ID.

Since the Cartridge handles authentication and identification of the customer's Omneo profile_id on the backend, we recommend the following front-end Shapes configuration:

    url: "https://{{cartridge_url}}/api",
    token: false,
    profileId: "me"

The Cartridge can then proxy all requests, replacing the profile_id value of me with the customer's real Omneo profile_id. The Cartridge can also ensure that only allowed endpoints are accessed - mainly just /v3/profiles/{profile_id} and its children.