How a Shopify embedded app returned {} for seventy-two hours — and what was actually wrong underneath six layers of plausible-looking bugs.
Build an embedded Shopify app that scores how well a merchant's products are readable by AI search engines — and ship the first version in a day.
The product is AI Layer. The thesis: most storefronts are written for Google, not for ChatGPT, Perplexity, or Gemini. The opportunity sits in the gap between traditional SEO and the answer-engine layer that ranks citeable, structured, parseable commerce.
The technical brief was small: a Shopify Remix app, embedded in the merchant's admin, that authenticates, reads products via the Admin GraphQL API, and renders a visibility score with per-product checks. A V0. Nothing exotic.
The reality of getting there is what this document is about. Every plausible cause was checked. Most of them were wrong in instructive ways. The one that was right was almost invisible — a single column name and a single sentence buried in Shopify's API error response that the wrapping library had been swallowing.
Every plausible fix was tested as a hypothesis against a measurement. The bug shifted shape across the chase — but it never shifted because of a guess. Each fix only happened after a log line, a database query, or a network response forced it.
The app's authentication stack has five distinct layers — token exchange, App Bridge handshake, session storage, scope grants, API wrapping. Each was isolated and tested in turn. Skipping layers would have meant solving the right problem in the wrong place.
The breakthrough came from a raw fetch() to the Admin API that bypassed Shopify's GraphQL client entirely. The wrapper had been swallowing the actual error message. One direct call surfaced the literal sentence Shopify's API wanted us to read: "non-expiring access tokens are no longer accepted."
17 products analysed. Five checks per product. A weighted visibility score. The first render — after three days of {} — landed as a working dashboard with five honest insights about what the dev store was missing for AI-search readability.
The product works. The architecture is on Shopify's current expiring-token authentication model, ahead of the merchants still on deprecated tutorials. The next phase is generative — turning each red check into a one-click fix.
Shopify deprecated non-expiring offline tokens in April 2026. Every embedded-app tutorial older than that is now wrong in the same silent way: it builds an app that installs cleanly and then 403s on the first Admin API call. Migrating to expiringOfflineAccessTokens: true is the new baseline.
The visible symptom was the page returning {}. The actual cause was four layers below that, in a deprecation notice the wrapping library never logged. Holding both ends of the abstraction at once — and bypassing it when stuck — is the move.
What started as a one-day prototype is a deployed, authenticated, real-data embedded Shopify app on the current auth model, ready for Phase 2: turning red checks into one-click AI-generated fixes for descriptions, SEO, and structured data.