Any method I've attempted to request information from a Shopify store from a different domain results in the familiar CORS error:
"Access to fetch at 'https://x.myshopify.com/admin/api/2019-04/graphql.json' from origin 'https://x.ngrok.io' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled."
I'm trying to create a customer-facing site which is very simple and is just for managing (creating and logging in) customer accounts, and doing specific things with those accounts like setting tags and sending emails to store staff to update details on those accounts once they're created. Using GraphQL or the REST API, is there a way to get the Shopify store to allow API requests from my separate domain without triggering the CORS error? Any way at all to add the appropriate "Access-Control-Allow-Origin" header in the response from the API endpoint?
(The security implications are not my concern here, as I believe API credentials can be obfuscated using backend middleware on the site doing the requests)
Or am I going about it the wrong way and there's another recommended way to do this besides those two APIs?
Or is what I'm trying to do only possible on the same domain as the store, by design, no exceptions?
Solved! Go to the solution
This is an accepted solution.
If you want to make an API request to the admin API, you have to do it from a back end. Front end requests, as you observed, will be blocked by the CORS policy on our end. What you can do is from your front end, delegate to your backend to make the request, and return the response data from that request to your front end.
Can you please explain more how to achieve this delegation from Frontend to Backend?
The flow is fairly simple but refer to the docs for extra info on authentication. You should never be trying to access the Admin API from the front end as it's not secure. You will be passing auth details that anyone could steal so this is just a crazy idea.
General delegation (high level):
What are you trying to do that needs a call to the Admin API in the first place?
Thank you for quick reply,
what I am using is an GraphQL Admin API. This is my sample query
This is not solved. What about the Storefront API. Does that require a backend too? I literally can't get a straight answer out of this forum because every question is about a different kind of API. Public, private, custom. Dudes. Make better docs.
Think of it this way:
Storefront API is a public API and the token for it is meant to be used on the client side.
Admin API is a private API and the token is not meant to be shared publicly. If you share this token to everyone by making requests from the browser, they can potentially access private information about your store, financial information, CUSTOMER information etc.
This could lead to both inconvenience to your customers as they would be subject to fraud as well as you could run into legal issues if someone decides to sue you because of it.
Hence, Shopify throws a CORS error when detecting that you use a browser to send a request to a private API. While the CORS error might not be the most appropriate response here, it is valid for them to deny your request.
Hope that clarifies the issue for others encountering this error.
It doesn't clear up the issue because it doesn't answer my question. It only reitterates other docs.
The question is Does Storefront API actually work Client-Side or are there unavoidable CORS issues that require a server-side proxy?
I'm not talking about the difference between Storefront and Admin.
You sound like a bot.