Focuses on API authentication, access scopes, and permission management.
I'm developing a Shopify app, alongside a third-party app, both of which communicate with the Shopify Admin REST API.
Previously, I was using 'client_credentials' to obtain the access token for the third-party app, and everything worked fine. However, after developing and installing the Shopify app on one of the stores, the 'client_credentials' flow stopped working.
Here are the scopes defined in the Shopify app:
read_products, read_assigned_fulfillment_orders, read_merchant_managed_fulfillment_orders,
read_orders, read_returns, read_third_party_fulfillment_orders, write_assigned_fulfillment_orders,
write_customers, write_fulfillments, write_merchant_managed_fulfillment_orders, write_orders,
write_products, write_returns, write_third_party_fulfillment_orders
Here is the client_credentials access token request:
POST https://{shop}.myshopify.com/admin/oauth/access_token
Headers: {content-type: 'application/x-www-form-urlencoded'}
Payload: {
client_id: app_client_id,
client_secret: app_client_secret,
grant_type: client_credentials
}
Response:
{
"error": "shop_not_permitted",
"error_description": "Client credentials cannot be performed on this shop."
}
Has anyone experienced a similar issue? Any insights or solutions would be appreciated!