HTTP X-Request-With result in 303 redirect to login page

Shopify Partner
2 0 2

Hi everyone

I am trying to build an integration with shopify and a incountered a weird issue.

The case is that my integration requires me to use another service providing a proxy to connect to the Shopify Admin API and keep having the API responding with a 303 redirect. I have been debugging this for a while now, and I have conclusive narrowed this down the fact that the proxy forces a "X-Requested-With: XMLHttpRequest" HTTP header on the request and for some reason this triggers Shopify Admin API to respond with a redircet.

Though I definatly believe that the proxy should not do this I am not able to do anything about it other than reaching out for there support, which I have, but the behaviour is not going change anytime soon. On the other hand I also find it indeed weird that the Shopify Admin API by any means reacts to this header, and even more weird that it redirects to the shopify login page.

This happens both on the REST API and on the GraphQL API.

You can reproduce this behaviour using postman. Appling X-Requested-With header to the request breaks the Admin API with any request and removing the header results in successful request.

Any idea why this is happening and is it possible to work around this without removing the header or should this be reported as a bug to Shopify?


Shopify Expert
10006 116 1818

and even more weird that it redirects to the shopify login page.

Default action is to show the Admin login page in those cases vs any sort of API error. Whatever you're doing is not following valid authentication flows. Headers matter in that, as does the nature of what data is sent in the requests (like cookies).

Why is it being added? Are you doing some cross domain XHR request?

★ Winning Partner of the Build a Business competition. ★
Shopify Partner
2 0 2

Well, why it is being added I don't know as I do not control the proxy/relay server, but the request to the Admin API is made from server not client cors of any sort. I am currently investigating with the relay server team why the header is being added.

I have thorougly tested the request with all headers applied when requesting the Admin API with the proxy/reley server and only the X-Requested-With header present the API breaks. The API even breaks if only X-Shopify-Access-Token and X-Requested-With is present. You can replicate this with Postman, so still suspect something to be not quite right the Admin API.

I don't see why a X-Requested-With header in anyway should trigger a redirect to the login page?


We are having the exact same issue/in the exact same situation. The proxy that is used is a backend secure service/not requested via the browser and used intentionally to secure tokens/keys so they aren't passed. I have no idea why they are passing the 'x-requested-with' header in the request, but equally don't understand why this is triggering a redirect to the login page on the Shopify front. Any workarounds/suggestions on here?


It appears specifically that the Shopify API is checking the values of this header and if it contains 'XMLHttpRequest' it is being redirected. This should be the case if it were made via the browser/using cors but in this case that header is being included erroneously by the secure proxy. We even tried to pass an additional value via a custom header sent into the proxy to see if we could override/remove the header but it only seems to append. Sending in something such as -H 'x-requested-with: test, XMLHttpRequest' or -H 'x-requested-with: HttpRequest, XMLHttpRequest' still causes the issue so the presence at all of any value for that header matching XMLHttpRequest seems to be the cause.


Would really appreciate any help/suggestions!


the innovation agency of tomorrow, today
Shopify Partner
3 0 0

For new Shopify app developers experiencing 303 errors while trying requests and Googling this forum thread:


One possible cause is: check your Headers:


Shopify uses a special header format 'X-Shopify-Access-Token' instead of the 'Authorization' : 'Bearer' header. 


Easy mistake to make.  303 errors abound.

New Member
2 0 0

old post, but this took me some time to notice how to fix...

on postman I was using get with,line_items


but on the nodeJS script,line_items


notice that it was missing ".json";