Context: Aleta, Shopify, and distributors
Aleta Distribution Sàrl is a Swiss distribution company. Its product catalog lives in Shopify: products, variants, media, and inventory are maintained there as the operational system of record.
B2B partners — other distributors and integrators — need reliable programmatic access (reference pricing, stock, logistics locations) without handing every party a Shopify Admin token or forcing each integration team to own raw GraphQL complexity.
d-side solutions designed and operates a public B2B API served at api.aleta.ch, backed by the Shopify store, with published documentation and an onboarding path for API consumers.
💡 Technical positioning
The component is a Symfony middleware that maps wholesale needs (stable REST, JSON, scoped access) into controlled calls to Shopify's Admin GraphQL API — with caching, structured logging, and consumer-oriented error surfaces.
The challenge: open the catalog without compromising Shopify
Sharing direct Admin API access with many distributors creates security, governance, and contract problems: each partner negotiates different commercial terms, and Shopify's API surface moves with every version (removed fields or schema changes).
- ✗No shared Admin token — distributing Admin credentials to every integrator multiplies risk and makes rotation painful.
- ✗Catalog price ≠ distributor price — discounts or margins must be applied per account in a deterministic, auditable way.
- ✗GraphQL version drift — a query that worked yesterday can fail after an API version bump when fields disappear from the schema.
- ✗Server operations — repeatable deploys, file permissions (configuration writes), and structured logs to diagnose production.
🎯 Goal
Deliver a versioned REST surface, per-client API keys with scopes (products, stock, locations), an admin console to manage accounts, and a disciplined production rollout story.
The solution: Symfony middleware between Shopify and integrators
The Symfony 8 application acts as a gateway: it authenticates B2B calls (Authorization: Bearer … header or an equivalent query parameter), applies the client's pricing rules, queries Shopify through the Admin GraphQL API, and returns documented JSON payloads.
// Data flow
REST · API key · scopes
auth · pricing · cache
catalog · inventory
Monetary values are returned as strings to avoid JSON floating-point surprises on the consumer side.
The repository deploys onto d-side infrastructure (git pull, composer install, Symfony cache clear) using a documented Composer-driven deploy script — standardizing releases and reducing environment drift.
Real incident: Shopify errors in production
At one point the catalog endpoint started returning a generic "Shopify upstream" failure. Application logs showed GraphQL errors: fields (weight and weightUnit on ProductVariant) were no longer available on the configured Admin API version. The fix was to align the GraphQL selection set with the supported schema — a reminder that every Shopify integration must track the API version lifecycle.
Operations: file permissions
A separate production issue was a permission denied write to a temporary client-configuration file when the web server's Unix user did not match deployment ownership. The remedy is consistent permissions and ownership between SSH-based deploys and the Apache runtime — mundane, but blocking for self-service account administration.
Key features
Versioned REST surface
Integrators rely on endpoints for health checks, paginated product listings (cursor, SKU, status filters), stock, and locations — all behind the same authentication convention and per-client rate limits.
Per-client pricing
The middleware computes account-specific prices (for example percentage off catalog retail plus complementary rules for direct-delivery scenarios) from Shopify amounts in a centralized, testable way.
Admin console
A password-protected web UI creates and disables clients, adjusts percentages and access scopes, and communicates credentials without ever exposing the Shopify Admin token — each partner receives its own dedicated key (prefix such as b2b_) and must store it like any other secret.
Signed webhooks
A dedicated endpoint accepts Shopify notifications with HMAC signature verification, enabling reliable server-side reactions when catalog or inventory changes originate in Shopify.
Results
- ✓Clear integration contract — REST JSON, explicit errors, documentation co-hosted with the API.
- ✓Shopify remains the system of record — no manual duplicate catalog silo.
- ✓Resilience to API evolution — targeted GraphQL adjustment after a real production incident.
- ✓Repeatable deploys — documented Composer script to update code and dependencies on the server.
Summary
For Aleta, d-side solutions built a lean but complete B2B layer on top of Shopify: separate identities per distributor, server-side pricing, and operational discipline to survive schema changes and POSIX realities.
The same pattern — domain middleware + stable API + lightweight admin — applies to other brands that want to open their catalog to partners without sacrificing Shopify security.
Running B2B distribution on Shopify and need a controlled partner API? Get in touch.
Luc Demierre
Founder & IT Consultant — d-side solutions Sàrl, Bulle
Specialized in IT architecture, systems security and e-commerce integration for Swiss SMEs. Founder of d-side solutions Sàrl since 2022.