storefrontAccessTokenCreate mutation always returns "Access Denied"

Shopify Partner
67 5 31

I am working on an app that also requires a storefront access token. I am setting it up to create an access token when the app is logged into.

But it always returns an error:

mutation storefrontAccessTokenCreate($input: StorefrontAccessTokenInput!) {
  storefrontAccessTokenCreate(input: $input) {
    storefrontAccessToken {
      accessToken
    }
    userErrors {
      field
      message
    }
  }
}

And variables:

{
	"input": {
    "title": "Test name"
  }
}

Which outputs:

{
  "data": {
    "storefrontAccessTokenCreate": null
  },
  "errors": [
    {
      "message": "StorefrontAccessTokenCreate access denied",
      "locations": [
        {
          "line": 2,
          "column": 3
        }
      ],
      "path": [
        "storefrontAccessTokenCreate"
      ]
    }
  ],
  "extensions": {
    "cost": {
      "requestedQueryCost": 10,
      "actualQueryCost": 10,
      "throttleStatus": {
        "maximumAvailable": 1000.0,
        "currentlyAvailable": 990,
        "restoreRate": 50.0
      }
    }
  }
}

 

Do I need a special scope to call storefrontAccessTokenCreate? If yes, then this isn't documented at all on pages https://shopify.dev/docs/admin-api/graphql/reference/mutation/storefrontaccesstokencreate?api[versio... and https://shopify.dev/docs/admin-api/access-scopes .

0 Likes
Shopify Partner
67 5 31

Here's the X-Request-ID: 657060d8-01ec-46b2-a5bf-a76a83cf2a22

0 Likes
Shopify Staff
Shopify Staff
695 81 150

Hey @tolgapaksoy,

You need to request the unauthenticated scopes during Oauth. Details are in the docs you linked: https://shopify.dev/docs/storefront-api/getting-started#requesting-unauthenticated-scopes

JB | Developer Support @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Click Accept as Solution 

0 Likes
Shopify Partner
67 5 31

Hi @_JB 

So in order to create a Storefront token from the Admin API, I need to include all scopes from Storefront token also in my OAuth scopes for Admin API?

I just tried doing that with Request 29f77578-0646-4efe-80c3-65f03a8cb79a and it still gives me the same error.

0 Likes
Shopify Staff
Shopify Staff
695 81 150

Hey @tolgapaksoy,

I just pulled up that request but I'm still not seeing the unauthenticated scopes. The scopes I'm referring to all begin with the word unauthenticated, full list can be found here.

Keep in mind that if you're testing on a shop where the app was installed previously, you'll need to update the scopes first. You can do this by deleting the app and requesting the new scopes during install, or redirect the user back to Oauth with the new scopes included in the URL.

JB | Developer Support @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Click Accept as Solution 

0 Likes