access_token END POINT gets 400 Bad Request

New Member
3 0 0


I am trying the OmniAuth Shopify flow for developing an app for shopify from the instructions given in the links below:

I'm stuck when I make a 'POST' request to retrieve the access token and I am sending all the needed parameters i.e (client_id,client_secret and code) in the request body in json format. But then I am receiving 400 Bad Request. In response it also shows "Oauth error invalid_request: The authorization code was not found or was already used".

Can you please help me with this?

Shopify Staff
Shopify Staff
193 23 33

Hey @dror1 

I believe the OAuth auth code can only be used a single time to retrieve the access token. My guess is that somewhere in your omniauth setup, you are duplicating the call to Shopify and thus getting the error message. 

Kevin_A | Developer Support @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Click Accept as Solution 

New Member
3 0 0

hi, Thank you for your answer.

I am pretty sure it’s not the case. My app is in her very first steps and all I do in it is to get the auth callback (after the user submit his shop name using OmniAuth), validated it and try to obtain the token. 
In additionally I am using httplog to log my outgoing communication and no further calls were made.

Here is my code (all of it):


  def auth_callback
    # extract shop data from request parameters
    shop = request.params['shop']
    code = request.params['code']
    hmac = request.params['hmac']

    # perform hmac validation to determine if the request is coming from Shopify
    h = request.params.reject{|k,_| k == 'hmac'}
    query = URI.escape(h.sort.collect{|k,v| "#{k}=#{v}"}.join('&'))
    digest = OpenSSL::HMAC.hexdigest('sha256'), SHOPIFY_API_SECRET, query)

    if !ActiveSupport::SecurityUtils.secure_compare(digest,hmac)
      return [403, "Authentication failed. Digest provided was: #{digest}"]

    payload = {client_id: SHOPIFY_API_KEY, client_secret: SHOPIFY_API_SECRET, code: code}
    url = "https://#{shop}/admin/oauth/access_token"
    response =, body: payload)

   if response.code == 200
      session =, response['access_token'])
     # This call always response "400 - Oauth error invalid_request, Oauth error invalid_request: The authorization code was not found or was already used"
      return [500, "Something went wrong."]

    head :ok