FROM CACHE - en_header
Promotion image
Solved

GraphQL Calls from Postman - 403 Forbidden, REST Works Ok, GraphiQL App works

MozzoERP
Shopify Partner
84 4 20
‎08-26-2019 07:12 PM

Hello all, having some struggles in starting testing using GraphQL. I'd appreciate any help or insights you may have! TIA.

 

What am I trying to do?

  • Test some GraphQL calls from Postman before starting to do so via code.

What's the issue?

  • I keep getting a 403 forbidden response

What have I tried?

  • Graph calls from Shopify GraphiQL App within the development store work fine
  • Rest API calls are working fine using the private app key and pwd
  • I have set Orders, transactions, Fulfillments access to read/write 
  • POST to: https://<mystore>.myshopify.com/api/2019-07/graphql.json
  • I've set Authorization to NONE
  • I've added 2 headers:
    • Content-Type: application/graphql
    • X-Shopify-Access-Token: <private app API Password>

What am I doing wrong?

 

Private App Pwd.PNG

 

ORder read permission.PNGGraph Postman Call.PNG

Chad Richardson
Mozzo Software - Modular Software that grows with you from solopreneur to a 200 person mega team. Why keep outgrowing your Shopify Apps? Start with us, and just use the modules you need, then add more as you grow. http://MozzoERP.com
8,841 Views
0 Likes
Report
Accepted Solution (1)
In response to MozzoERP

MozzoERP
Shopify Partner
84 4 20
‎09-04-2019 02:19 PM

This is an accepted solution.

@Busfox . Found the solution in this post (The net: use content-type of application/json, not application/graphql when using client access tools like Postman). The documentation is a bit misleading. We wasted a lot of time on this that a sentence or two would clear up in the docs. Hope it gets updated soon to help others.

Chad Richardson
Mozzo Software - Modular Software that grows with you from solopreneur to a 200 person mega team. Why keep outgrowing your Shopify Apps? Start with us, and just use the modules you need, then add more as you grow. http://MozzoERP.com

View solution in original post

8,669 Views
1 Like
Report
Replies 8 (8)

Busfox
Shopify Staff (Retired)
628 49 110
‎08-27-2019 12:33 PM

Hi @MozzoERP,

 

Sounds like you are requesting a resource that you don't have permission to, but I can't confirm without seeing your query or searching the request-id for one of the failed requests. Can you provide one or both of those?

 

Cheers,

To learn more visit the Shopify Help Center or the Community Blog.

8,802 Views
0 Likes
Report
In response to Busfox

MozzoERP
Shopify Partner
84 4 20
‎08-27-2019 02:17 PM

Hi @Busfox ,

 

Thanks for your reply.

Here is the X-Request-ID: 

[{"key":"X-Request-ID","value":"b398fce7-a9e6-4816-af5c-db44d8737696","description":"Custom header","enabled":true,"disableEdit":true,"message":"Custom header"}]

 

And here is one of several queries I've tried. 

{
  shop {
    products(first: 5) {
      edges {
        node {
          id
          handle
        }
      }
      pageInfo {
        hasNextPage
      }
    }
  }
}
Chad Richardson
Mozzo Software - Modular Software that grows with you from solopreneur to a 200 person mega team. Why keep outgrowing your Shopify Apps? Start with us, and just use the modules you need, then add more as you grow. http://MozzoERP.com
8,790 Views
0 Likes
Report
In response to MozzoERP

MozzoERP
Shopify Partner
84 4 20
‎08-28-2019 12:55 PM

Hi @Busfox , was this the info you needed or is the request Id some other value?

Chad Richardson
Mozzo Software - Modular Software that grows with you from solopreneur to a 200 person mega team. Why keep outgrowing your Shopify Apps? Start with us, and just use the modules you need, then add more as you grow. http://MozzoERP.com
8,761 Views
0 Likes
Report
In response to MozzoERP

MozzoERP
Shopify Partner
84 4 20
‎08-29-2019 11:29 AM

Anyone else able to perform GraphQL calls from postman using a private app password?

Chad Richardson
Mozzo Software - Modular Software that grows with you from solopreneur to a 200 person mega team. Why keep outgrowing your Shopify Apps? Start with us, and just use the modules you need, then add more as you grow. http://MozzoERP.com
8,737 Views
0 Likes
Report
In response to MozzoERP

MozzoERP
Shopify Partner
84 4 20
‎09-03-2019 11:44 AM

Anyone? @Busfox ? Bueller? 🙂

Chad Richardson
Mozzo Software - Modular Software that grows with you from solopreneur to a 200 person mega team. Why keep outgrowing your Shopify Apps? Start with us, and just use the modules you need, then add more as you grow. http://MozzoERP.com
8,704 Views
0 Likes
Report
In response to MozzoERP

Busfox
Shopify Staff (Retired)
628 49 110
‎09-04-2019 11:55 AM

Hey @MozzoERP,

 

I'm not seeing much aside from a 403 error. Is your secret being passed in the X-Shopify-Access-Token header properly in Postman? I tested this in Insomnia and it works fine. I also test in Postman and had no issues.

To learn more visit the Shopify Help Center or the Community Blog.

8,689 Views
0 Likes
Report
In response to Busfox

MozzoERP
Shopify Partner
84 4 20
‎09-04-2019 01:34 PM

When I look at the postman code it is showing this (myshop and token changed for security)

curl -X POST \
  https://<myshop>.myshopify.com/api/2019-07/graphql.json \
  -H 'Content-Type: application/graphql' \
  -H 'X-Shopify-Access-Token: 40351a29a725c88cdc0bbfc93322b9ac' \

Which looks identical to this Shopify provided example.

 

So I guess the only thing left is the value that I'm providing for the "X-Shopify-Access-Token".

 

The authentication section of the documentation on this is not super explicit, so maybe I'm not doing something right here.

  1. I created a private app in my development store
  2. I used the API Password as the X-Shopify-Access-Token value in the header as seen in the curl request above
  3. I've also tried using the Access Token that gets generated when I connect my app to my dev store, with the same results.
  4. You mention "is your secret being passed properly...." a.) are you referring to something different than the API Password, i.e. you don't mean the "Shared Secret" right? Also, see the curl example above, is that correct? 
  5. So to confirm, there is no user value that has to be passed, just the X-Shopify-Access-Token with the oauth access token OR the private App Password?
  6. The private app verbiage states that private apps use basic authentication and provide an example url. If I use that means of authentication, I get a different error. 
    1. Private App Pwd 2.PNG 
    2. {
    "errors": [
        {
            "message": "Parse error on \"query\" (STRING) at [1, 2]",
            "locations": [
                {
                    "line": 1,
                    "column": 2
                }
            ]
        }
    ]
}
Chad Richardson
Mozzo Software - Modular Software that grows with you from solopreneur to a 200 person mega team. Why keep outgrowing your Shopify Apps? Start with us, and just use the modules you need, then add more as you grow. http://MozzoERP.com
8,682 Views
1 Like
Report
In response to MozzoERP

MozzoERP
Shopify Partner
84 4 20
‎09-04-2019 02:19 PM

This is an accepted solution.

@Busfox . Found the solution in this post (The net: use content-type of application/json, not application/graphql when using client access tools like Postman). The documentation is a bit misleading. We wasted a lot of time on this that a sentence or two would clear up in the docs. Hope it gets updated soon to help others.

Chad Richardson
Mozzo Software - Modular Software that grows with you from solopreneur to a 200 person mega team. Why keep outgrowing your Shopify Apps? Start with us, and just use the modules you need, then add more as you grow. http://MozzoERP.com
8,670 Views
1 Like
Report
Terms of Service Privacy Policy