As the title suggests - I've done all the ground work; the install URL, the redirect back to Shopify, retrieve the access token - even loaded my app start page into the Shopify iframe. All good.
BUT - as soon as I attempt to use the retrieved access token - anywhere - I get a 401 Unauthorized error.
I have tried both the graphQL (admin, and my preference) and REST endpoints. I have tried to use it to download the graphql schema. I have tried POSTMAN, I have tried curl.
What is it that I am missing here?
According to the documentation - which, whilst there is alot of it, tends to only cover the "happy path" - I am using offline token(s) [docs] that should be valid for as long as the store has my app installed (or, as per docs: "After obtaining offline access to a store, it is only necessary to re-authorize an application after it has been uninstalled, or when the application must request additional access scopes").
The documentation and forum posts cover a lot of ground but not all of it is in sync either.
From my understanding:
And my current experience:
And further, possibly relevant experience:
Invested in this process, really need this to work.
Solved! Go to the solution
Well sounds like you already went through an extensive list of options there. Haven't had any issues with the issues access token whatsoever, least of all 401 unauthorised. You say you can launch your app in embedded no problems, so the store has already granted the access scopes. The auth process you describes is by the book - how are you generating your HMAC (yourself, koa auth package, express auth package)? Invalid HMACs often cause 401's for people trying to use webhooks so maybe it could be a similar issue here.
Really can't think of much more. Would be something for Shopify folk to check in their logs.
Thanks @KarlOffenberger - I'm awaiting a reply through official channels.
HMAC - I am generating the HMAC using the nodejs crypto package, ie.
const generatedHash = Buffer.from( crypto .createHmac( 'sha256', ConfigService.get('server').shopifyApiSecret, ) .update(message) .digest('hex'), 'utf-8', );
I would have assumed that if there was a problem with the HMAC that it would fail when I check it against the HMAC returned from shopify?
I've looked at this from multiple angles and have got nowhere. And without a response from the support team who can check the errors in the logs - the opaque 401 is a dead end for me. Let's hope they get back to me soon. Is there an official shopify member on the forum here I can ping?
Finally received a response from Shopify support:
Hey Steve! Mac here from Partner support.
I'm afraid you are going to need to post this question in the forums! We don't currently have the capacity to troubleshoot API issues like this 1:1. We just don't have the trained support staff to handle these kind of issues, so what I would do is copy/paste this email into a new forums post at - Developer Forums! Unless you can find a similar post where someone has already tackled something similar.
Wish there was more we could do here!
So, leaving aside the fact that the first line of my email included the information that I had already cross-posted the content to the forum; this is a very unhelpful stance.
You would think looking into the logs would be the very least they could do - I understand crowd-sourcing the problem to the app developers that live and breathe this stuff... but really? I posted this problem 5 days ago and while Karl responded it's not his job! I get the feeling he would have helped me if he could. Maybe shopify should allow us access to the logs for our apps?
Is this forum even monitored by shopify?
Thanks @KarlOffenberger for your help - much more help than shopify.
Signing (HMAC) is clearly not your issue if you're able to acquire an access token.
Sounds like you're not sending the header (X-Shopify-Access-Token) or the value you're sending is not what you think it is.
Are you sure you're sending the requests to the API endpoints of the shop for which the token was acquired? For example, if you have two development shops, the installation process and therefore the tokens for each of them would be different (apologies if it's obvious to you).
Update: in your original post you also mention sending or trying with API key and API secret key, but that's plain wrong for a public app. You should only be making calls with tokens acquired associated with a particular shop.
Ah but they do frequent the forums frequently. Probably not on a Sunday evening though.
What's in your message? Just asking because typically you'd take the querystring and remove hmac and signature for the message.
I agree HMAC not the issue.
Definitely only have one development store.
My app is currently borked due to me mucking around with it.. so I can't take a screenshot. But I am certain that I acquired the access token from the X-Shopify-Access-Token that is returned when POSTing to: https://mystore.myshopify.com/admin/oauth/access_token
I'm not sure what you mean regarding NOT sending the API secret Key. According to the documentation here: Step 3: Confirm installation it quite clearly says to use the API Key and the API Secret Key to exchange for an access token.
"The server responds with an access token:"
Which is where I am retrieving and storing the Access token from - as mentioned above.
I would not be surprised if this documentation incorrect - can you confirm what I am meant to be using instead?