Solo dev, shipped my first Shopify app, here is the honest debrief from week 1
First Shopify app shipped last week. Approved on the App Store, listing is live. 3 installs since approval, 0 reviews, 1 confirmed uninstall within an hour. Solo dev, working from Poland.
The app scans a merchant's catalog and scores each product 0 to 100 on signals that show up in AI shopping results: ChatGPT Shopping, Perplexity, Google AI Overviews. The honest framing is that 11 of the 14 rules I check are classic SEO (title length, alt text, description depth) and only 3 are actually unique to AI surfaces (GTIN/barcode, Shopify standard category metadata, structured metafields). I am not pretending the 11 are AI-specific. The score is a combined snapshot, and I am still tuning the weights.
Stack is Remix template, Polaris, Prisma over SQLite, Docker Compose on a single Hetzner VPS. GPT-4.1-nano for the AI rewrites, one bundled call returning title plus description plus SEO copy as JSON. Embedded admin via App Bridge v3.
Three things I learned the hard way this week:
authenticate.webhook() from u/shopify/shopify-app-remix with expiringOfflineAccessTokens: true tries to refresh the offline token AFTER validating HMAC. For shop/redact webhooks (which fire 48h after uninstall) the token is already revoked. The library throws Response(500) on the failed refresh, and Shopify retries 9 times over 48h. My partner panel was full of red. Fix was to bypass authenticate.webhook in compliance routes and verify HMAC manually with crypto.timingSafeEqual against SHOPIFY_API_SECRET.
Concurrent AI fix requests can race past the monthly limit if the counter check and increment are not atomic. SQLite handles this fine if you wrap in prisma.$transaction(async tx => ...) because it uses BEGIN IMMEDIATE under the hood and serializes writers.
The default catalog scan loops productsConnection.first(50) until hasNextPage is false, with zero cost awareness. Standard plan has a 2000 point bucket. A 250 product scan can burn 1000 points easily. Two concurrent scans hit THROTTLED. The fix is reading extensions.cost.throttleStatus.currentlyAvailable after each call and sleeping if low. The floor needs to scale with maximumAvailable or Plus stores end up sleeping at 97 percent full.
Things I am still unsure about:
Pricing. Free tier is 20 AI fixes per month right now (was 100 until yesterday, that was too generous, the one real merchant uninstalled in an hour without burning one). Paid is 9 and 29. I am wondering if this should be unlimited with a catalog size cap instead. Merchants think in catalogs, not in fixes.
Whether app/uninstalled belongs in [webhooks.subscriptions] of shopify.app.toml or registered programmatically. Template defaults are ambiguous and merchant sessions linger in my DB after uninstall.
How others handle the 30 day GDPR clock for compliance webhooks. I ACK 200 even when internal cleanup throws, to avoid retry storms, but there is no alert path if cleanup silently fails repeatedly.
What did I miss? What is the obvious thing I will regret in 3 months?