Secure PDP/PLP Reads in Hydrogen Without Secrets

By nuwudorder | September 23, 2025

Introduction

Hydrogen storefronts often need to fetch public product data for PDPs (Product Detail Pages) and PLPs (Product Listing Pages). The catch: developers sometimes mistakenly expose API tokens in client code.

The good news? Shopify’s Storefront API supports tokenless public reads for most catalog queries. This means you can secure your Hydrogen builds while still delivering fast PDP/PLP experiences.

Why Tokenless Reads Matter

  • 🔐 Security → no client-side secrets to leak.
  • ⚡ Performance → cached, CDN-friendly queries.
  • 🛒 Scalability → avoids Admin API misuse for catalog fetches.
  • 📊 Pitch differentiator → agencies can highlight tokenless reads in proposals.

👉 Merchants don’t want to risk leaked tokens — and they don’t have to.

Example: PDP Query Without Token

query ProductByHandle($handle: String!) { product(handle: $handle) { id title description images(first: 3) { edges { node { url altText } } } variants(first: 5) { edges { node { id price { amount currencyCode } } } } } }

👉 This query can run without an API token when set to tokenless mode.

Caching Strategy

  • SWR (stale-while-revalidate): serve cached PDP data instantly, refresh in background.
  • CDN edge caching: pair tokenless reads with Shopify CDN.
  • Fallback logic: if Storefront API fails, render cached PDP/PLP.

Use Cases

  • PLPs (collections): fast catalog fetches without secrets.
  • PDPs (products): public data (title, price, media) without auth.
  • Landing pages: safe product queries for marketing sites.

Case Example: Agency Pitch

  • Client worried about exposing tokens in client code.
  • Agency pitched tokenless PDP reads with cache-first strategy.
  • Outcome: client signed — cited “security-first architecture” as deciding factor.

Guardrails

  • ✅ Use tokenless reads only for public catalog data.
  • ✅ Do not expose cart/checkout queries without auth.
  • ✅ Apply SWR + CDN caching to minimize latency.
  • ✅ Document fallback logic for error states.

Conclusion

Hydrogen developers don’t need to risk security for speed. By leveraging tokenless Storefront API reads for PDPs/PLPs, teams can deliver secure, fast, and cache-friendly storefronts.

Secrets don’t belong in the client — and Shopify gives you a way around them.

Posted in Blog

About nuwudorder