[API] Invalid API key or access token

Mike32
New Member
5 0 0

Hello,

We are consistently recieving an error when uploading a tracking number for our orders through the API, with the response showing the message "[API] Invalid API key or access token (unrecognized login or wrong password)", even though the credentials are valid, and have all appropriate permissions.This error occurs regardless of the actual API key we use, even when all permissions are enabled.

We are also seeing the same scenario when we attempt to upload a new item to our catalog, as well.

The credentials are being submitted using the base-64-encoded "APIKey:Password" format in an additional header named "Authorization", as described in other posts and the API documentation.

Below are the details of a recent request which was rejected, even though the request and the data itself is properly formatted and the credentials are valid. It is clear that the credentials are valid, as we are able to connect to and retrieve orders from the API with no problems.

 

API Key: d884bb8fed9221203710923ca8f28662

 

Request Details:

URL: https://godpsmusic.myshopify.com/admin/orders/5089613125/fulfillments.json

Action: POST

Accept: application/json

Content-Type: application/json

ContentLength: 88

Authorization: Basic ZDg4N...

Request Body: {"fulfillment":{"tracking_number": "9400110200881547551513","tracking_company": "USPS"}}

 

Response: The remote server returned an error: (401) Unauthorized. {"errors":"[API] Invalid API key or access token (unrecognized login or wrong password)"}

0 Likes
Alex
Shopify Staff
Shopify Staff
1555 81 293

Hey Mike,

It's possible that your base64 encoded string is adhering to RFC 2045 specification vs RFC 4648 specification. RFC 2045 base64 strings have newline characters every 60 characters and I believe an additional one on the end, while RFC 4648 base64 strings have all newline characters stripped out. We expect a base64 string adhering to RFC 4648.

If you're using Ruby, the only difference is in using the Base64.strict_encode64 method rather than Base64.encode64.

I hope that helps.

0 Likes
Mike32
New Member
5 0 0

Hello Alex,

Thank you for this information. We have revisited this piece, and we've verified that the base-64 string contains no line breaks, and is using the RFC 4648 as you expect.

As mentioned in the original post, we are able to retrieve records from the Shopify API with no problem, using the same credentials formatted the same way. We can retrieve orders, fulfillment records, and product records, but we cannot "post" or "put" fulfillment or product records using these credentials.

It seems that the "read and write" option in the permissions for the API key is not correctly allowing the "write" access, while still allowing the "read" access.

Is there another setting for our account that must be changed to enable the private key as valid for the "write" permissions?

Or is there some other issue which is preventing the API key from being seen as valid during a "write" request, even though it is valid during a "read" request?

0 Likes
Alex
Shopify Staff
Shopify Staff
1555 81 293

Hey Mike,

Can you point me to a shop I can look at and the app name in question? I can dig in on our and and see if I can replicate.

Cheers.

0 Likes
Mike32
New Member
5 0 0

Hi Alex,

Our shop is https://godpsmusic.myshopify.com, and it sounds like you are asking which public app we are using.

We are using a private app we've built to connect directly to our Shopify account from our backend systems. This private app allows us the customization we need in order to ensure our data from our backend maps to Shopify and vice-versa for a full automated connection between the two systems.

Is there a way that we can schedule a call with one of your team and work together on that call to capture the request from our system and the corresponding API response, and pinpoint the issue?

Thank you.

0 Likes
Andy_Lower
Shopify Partner
45 0 7

Forgive me if I'm way off the mark here, just thought I'd give it a go... when we're posting to Shopify, it looks as if our headers are different from yours:

"X-Shopify-Access-Token", Token
"Content-Type", "application/json"
"client_id", APIKey
"client_secret", SecretKey

Are you including these the same as we do? Not sure if it has anything to do with ours using the embedded sdk etc.

Kind regards, Andy Lower PandaCake Shopify Partners
0 Likes
Alex
Shopify Staff
Shopify Staff
1555 81 293

Hey Mike,

We aren't equipped to take calls in dev support. I'm not seeing any requests being made by the private api client in question in this past 30 days but that could just be a nuance of our logging engine. Could you provide an x-request-id (the more recent the better) I can refer to? You'd get this as a response header to these requests.

Cheers.

0 Likes
Mike32
New Member
5 0 0

Hi Alex,

We've submitted a new request to "post" a new item, and we've received the same error again: 401 Unauthorized. {"errors":"[API] Invalid API key or access token (unrecognized login or wrong password)"} .

The X-Request-ID for this upload is 1a9cc8da-d1c4-4edd-aad0-355374e3bf79. Please investigate this and let us know what you find.

Thank you.

0 Likes
Mike32
New Member
5 0 0

Hi Andy,

Thank you for the details. We've reviewed the headers you're using, and it appears that you are using the OAuth authentication methods, whereas our system is using the Private authentication methods from a Windows-based application, which has some differences in the credentials and how they are sent during the requests.

0 Likes
Alex
Shopify Staff
Shopify Staff
1555 81 293

Hey Mike,

Unfortunately the logs haven't been enough to indicate the problem but I had another observation.

If you were to make a POST request to /admin/products.json with no body and a bad auth header, you would receive a 401 response. If you fixed the header, you'd receive a 400 Bad Request response, since we obviously prioritize checking the authorization header before checking the structure of the request.

I was able to, as your api client, make an empty POST request to /admin/products.json that, if it had a proper auth header, would still result in a 400 response, so no data would be changed or created. I encoded the credentials as base64 and included the output in an `Authorization: Basic ...` header and was able to consistently pass the authentication check (resolving to a 400 response).

This tells me there is still something occurring in your architecture that's causing this, perhaps in how it's encoded if it's done perhaps slightly different across your get/post methods?

Cheers.

0 Likes