I'm creating an internal application that connects to Shopify Order API. Using Postman, I got a 200 OK response, but obviously there was no change related to the order (create new, close, cancel) because it returned an HTML body of Shopify admin login page.
There is no problem with the authentication (because I can use GET, the credential was set using basic auth in Postman), JSON formatting is okay.
For example, this simple POST request returns 200 OK but with Shopify Admin Login HTML: "https://myurl.com/admin/orders/5615918161/cancel.json"
I observe that this also happen for several POST request in another APIs.
If you're getting the HTML login page response I can make a fairly strong assumption that you're sending cookies in your POST. The server will block any change request that includes header cookies.
You'll be able to test this easily in the desktop version of Postman since that tool will let you remove/include header cookies.