403 Forbidden on Get Products happening the day after installation.

Shopify Partner
26 0 9

Hello, really need help on this.
We have our unlisted app installed on several shops. 
Even if we have our token installed, the permissions seem to expire or something similar. 


After the installation we automatically get all the products and orders, this action works every time. 

After a while we start receiving a 403 Forbidden. 


We still able to get the Shop information through Rest API. 

We have access as contributors and the app still installed, the active permission I can see from the shop admin are correct. 


No idea where the problem is coming from, this is the response.


name: 'HTTPError',

  host: undefined,

  hostname: 'the-hundred-shoes.myshopify.com',

  method: 'GET',

  path: '/admin/products/count.json',

  protocol: 'https:',

  url: undefined,

  statusCode: 403,

  statusMessage: 'Forbidden',


   { server: 'nginx',

     date: 'Tue, 09 Apr 2019 11:30:03 GMT',

     'content-type': 'text/html',

     'transfer-encoding': 'chunked',

     connection: 'close',

     'x-sorting-hat-podid': '92',

     'x-sorting-hat-shopid': '4478468189',

     vary: 'Accept-Encoding',

     'referrer-policy': 'origin-when-cross-origin',

     'x-frame-options': 'DENY',

     'x-shopid': '4478468189',

     'x-shardid': '92',

     'x-stats-userid': '27587117149',

     'x-stats-apiclientid': '2791127',

     'x-stats-apipermissionid': '103209238621',

     http_x_shopify_shop_api_call_limit: '1/40',

     'x-shopify-shop-api-call-limit': '1/40',

     'strict-transport-security': 'max-age=7889238',

     'x-request-id': '940f9bc7-09f1-4512-909b-5fbfa25d1170',

     'x-shopify-stage': 'production',


'default-src \'self\' data: blob: \'unsafe-inline\' \'unsafe-eval\' https://* shopify-pos://*; block-all-mixed-content; child-src \'self\' https://* shopify-pos://*; connect-src \'self\' wss://* https://*; frame-ancestors \'none\'; img-src \'self\' data: blob: https:; script-src https://cdn.shopify.com https://checkout.shopifycs.com https://js-agent.newrelic.com https://bam.nr-data.net https://dme0ih8comzn4.cloudfront.net https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://maps.googleapis.com https://www.google-analytics.com https://v.shopify.com https://widget.intercom.io https://js.intercomcdn.com \'self\' \'unsafe-inline\' \'unsafe-eval\'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=count&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fproducts&source%5Bsection%5D=admin_api&source%5Buuid%5D=a80db825-2a7c-42ff-b51c-68fe976d1fd0',

     'x-content-type-options': 'nosniff',

     'x-download-options': 'noopen',

     'x-permitted-cross-domain-policies': 'none',


      '1; mode=block; report=/xss-report?source%5Baction%5D=count&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fproducts&source%5Bsection%5D=admin_api&source%5Buuid%5D=a80db825-2a7c-42ff-b51c-68fe976d1fd0',

     'x-dc': 'ash,gcp-us-central1',

     'content-encoding': 'gzip' } }




Robots Hate Monkeys
6 0 2

We are also seeing a lot of 403s in our unlisted app. Requests are succeeding on retries however.

Shopify Expert
10037 119 1873

How are you making the call in the first place?

Feels like you're trying to hit the endpoint via the browser directly - not the Admin API -  and your account just doesn't have access to product data. Some more insights into _how_ you're making this call could help the forum members here help you.

★ Winning Partner of the Build a Business competition. ★ http://freakdesign.com.au
6 0 2

Just regular API calls to different resources, products, orders, customers, checkouts. Those all randomly responded with 403. But looks like there has not been any of those since 2019-04-13 16:56:28 +0300. It was an issue for several days.

Shopify Partner
26 0 9
hi Jason, the problem was I accidentally started asking for an online access token instead of an offline. That's why was stopping working after a while.
So now I'm struggling trying to find a way to changes the token of affected shops to an offline token without asking for new scopes or uninstalling the app, but no luck so far.
Since there is no a way to automatically shake hands for a new token, I thought about removing my own permissions when a client open the app ( this would uninstall the app ) and then redirect him to the auth page. This way I would skip at least manual uninstall, looking as an authorized update.
The other way would be to try to get the offline token while the user is connected, but I'm not sure if I can do that.
Robots Hate Monkeys
Shopify Partner
2 0 0
I’m still getting this error today on bing when submitting sitemap after some changes on my website.
4 0 1

I am having the same issue with the embedded app opened from shopify admin. Following the tutorial for the React App. And if app stays open for a day in browser I am getting this error and I have to restart ngrok and update the URL addresses every time.

Why is only graphql being banned?

New Member
2 0 0

It appears that the initial request to /admin/internal/web/graphql/core, the "X-CSRF-Token" header value was not correct

it does get refreshed once the frame reloads. doesn't look like this is something our apps can affect.

New Member
2 0 0

u can try forcing a redirect out of the iframe, and back into it.

it's annoying, but essentially resets the CSRF value on the shopify admin page.