Private app basic auth problem 401 in any case.

New Member
2 0 0

I try to execute simple request using storefront api, such that has been shown in tutorials and "getting started articles".

I've tried to authenticate using several different options:

  1. by url
  2. with Authorization: Basic base64(apikey:password)
  3. with custom header X-Shopify-Access-Token: apikey

But still have 401 response.

There is one request that I used below:



UPD: I used wrong api endpoint.
User-Agent: GraphQL.Client/
X-Shopify-Access-Token: 2%myaccesstoken%
traceparent: 00-9a471591195ff944ad0fab31cfaa5db4-5880000947509440-00
Content-Type: application/json; charset=utf-8
Content-Length: 108

{"query":"\r\n shop { id name email }\r\n ","variables":null,"operationName":null}

And the response:

HTTP/1.1 401 Unauthorized
Date: Sat, 19 Dec 2020 14:00:02 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Sorting-Hat-PodId: 180
X-Sorting-Hat-ShopId: 52109148341
Referrer-Policy: origin-when-cross-origin
X-Frame-Options: DENY
X-ShopId: 52109148341
X-ShardId: 180
WWW-Authenticate: Basic Realm="Shopify API Authentication"
Strict-Transport-Security: max-age=7889238
X-Shopify-Stage: production
Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=update&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fshops&source%5Bsection%5D=admin_api&source%5Buuid%5D=b701dfad-4abb-4943-8be7-ce78f6253803
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block; report=/xss-report?source%5Baction%5D=update&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fshops&source%5Bsection%5D=admin_api&source%5Buuid%5D=b701dfad-4abb-4943-8be7-ce78f6253803
X-Dc: gcp-us-east1,gcp-us-central1,gcp-us-central1
X-Request-ID: b701dfad-4abb-4943-8be7-ce78f6253803
CF-Cache-Status: DYNAMIC
cf-request-id: 071ce5f0ee00007b733a8d0000000001
Expect-CT: max-age=604800, report-uri=""
Server: cloudflare
CF-RAY: 6041a5c7eacf7b73-DME

{"errors":"[API] Invalid API key or access token (unrecognized login or wrong password)"}

Where have I gone wrong?


UPD: I used wrong api endpoint.

I replaced this url to

And now I receive Forbidden status code.

The question is same )

New Member
2 0 0