Basic GET failing

New Member
2 0 1

Trying just basic request to API and keep getting status of "401 Unauthorized" and response is

"errors""[API] Invalid API key or access token (unrecognized login or wrong password)"
Was wondering if someone had any ideas?

Was following

and using Postman so this

For those not familiar with Postman - it's a simple tool that allows you to quickly and easily test requests and see the response.

I've tried putting username and password in URL, tried putting it in Postman Request, tried putting it in Collection Authentication .  

I have created a new API secret key and same error.

I am using GET method and URL is


Request going out to shopify is (captured using Fiddler):

Content-Type: application/json
Authorization: Basic ZGVmNWM2MGFjNjNkZTg2OTM4MjkyYjU4ZDllNTljMjM6M2UzMGM4YzJhZTEzZjU0OWViMjY1N2MxMjFhYTMwZjk=
User-Agent: PostmanRuntime/7.21.0
Accept: */*
Cache-Control: no-cache
Postman-Token: cee61bba-36af-4ae8-8356-9a8b3cbd37ef
Accept-Encoding: gzip, deflate
Connection: close


Response was (captured using Fiddler)

HTTP/1.1 401 Unauthorized
Date: Fri, 03 Jan 2020 16:48:23 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: close
Set-Cookie: __cfduid=d0ec7ac4ff57c4d1b2186a95d72b817d71578070103; expires=Sun, 02-Feb-20 16:48:23 GMT; path=/;; HttpOnly; SameSite=Lax
X-Sorting-Hat-PodId: 135
X-Sorting-Hat-ShopId: 29422878856
Referrer-Policy: origin-when-cross-origin
X-Frame-Options: DENY
X-ShopId: 29422878856
X-ShardId: 135
WWW-Authenticate: Basic Realm="Shopify API Authentication"
Strict-Transport-Security: max-age=7889238
Set-Cookie: _secure_admin_session_id_csrf=070b7138f8a15ac38cafa8413bb8ddd8; path=/admin; expires=Fri, 03 Apr 2020 16:48:23 -0000; secure; HttpOnly; SameSite=Lax
X-Request-Id: 43a1fad4-bc0f-4b19-a89b-f7942c69315f
X-Shopify-Stage: production
Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=show&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fshops&source%5Bsection%5D=admin_api&source%5Buuid%5D=43a1fad4-bc0f-4b19-a89b-f7942c69315f
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block; report=/xss-report?source%5Baction%5D=show&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fshops&source%5Bsection%5D=admin_api&source%5Buuid%5D=43a1fad4-bc0f-4b19-a89b-f7942c69315f
X-Dc: gcp-us-central1,gcp-us-central1
set-cookie: _secure_admin_session_id=070b7138f8a15ac38cafa8413bb8ddd8; path=/admin; expires=Fri, 03 Apr 2020 16:48:23 -0000; secure; HttpOnly
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri=""
Server: cloudflare
CF-RAY: 54f675c28ce1cf00-IAD

{"errors":"[API] Invalid API key or access token (unrecognized login or wrong password)"}


Shopify Partner
132 29 33

This is an accepted solution.

Hi ChdSoftware,


Just double checking, are you using your store's private API key as username when trying the Basic Auth method?


Step 4 of the instructions say:

In the Username and Password fields, enter your store's private API key and password respectively.

- Yes, we build Shopify Apps. Hit me with your idea:
- Let customers preview your products and easily add them to cart with Peek Mode
- Add free, good looking social share icons with built-in analytics to your store with Share Lab
- Manage your new arrivals with Newr
New Member
2 0 1

Thank you  for jogging my thought process and helping me discover the solution.  Documenting here so that hopefully it helps someone else


In I had created the app.  Under apps - there was my app, I clicked on my app and it gave me the API key and secret.  That is NOT the right key and secret. 


You need to create a test store.  Then log into that development store.  In my case the store URL is

Once in that store - click apps and create a private app.  Fill in "Private app name" and "Emergency developer email" a new API key and secret will be created in the Apps section of the development store.  Now it works as expected.


Thank you 

Not sure I explained it correctly - but hope this helps someone else understand "the other API key and secret" 

24 0 1

Shopify should clear this credentials confusion up with more detailed documentation of the differing development flows and their locations within Shopify. The documentation would lead you to think the incorrect credentials are appropriate for this use-case. It's what led me here, and apparently you as well.