Focuses on API authentication, access scopes, and permission management.
Hello,
I have created a public app with sales channel enabled and am trying to generate the storefront API access token but keep getting a status code 403 with following response body:
Admin API (https://{shop}/admin/api/2019-10/graphql.json) Request:
{
appInstallation {
accessScopes {
handle
description
}
}
}
Response:
{
"data": {
"appInstallation": {
"accessScopes": [
{
"handle": "read_product_listings",
"description": "Read product information"
},
{
"handle": "read_orders",
"description": "Read orders, transactions, and fulfillments"
},
{
"handle": "read_shipping",
"description": "Read shipping rates, countries, and provinces"
},
{
"handle": "write_content",
"description": "Modify store content like articles, blogs, comments, pages, and redirects"
},
{
"handle": "write_products",
"description": "Modify products, variants, and collections"
},
{
"handle": "write_customers",
"description": "Modify customer details and customer groups"
},
{
"handle": "write_draft_orders",
"description": "Modify draft orders"
},
{
"handle": "unauthenticated_read_customer_tags",
"description": "Read customer tags"
},
{
"handle": "unauthenticated_read_content",
"description": "Read store content like articles, blogs, comments, pages, and redirects"
},
{
"handle": "unauthenticated_read_product_listings",
"description": "Read product information"
},
{
"handle": "unauthenticated_read_product_tags",
"description": "Read product tags"
},
{
"handle": "unauthenticated_read_collection_listings",
"description": "Read collection listings"
},
{
"handle": "unauthenticated_write_checkouts",
"description": "Modify checkouts"
},
{
"handle": "unauthenticated_write_customers",
"description": "Modify customer details and customer groups"
},
{
"handle": "read_content",
"description": "Read store content like articles, blogs, comments, pages, and redirects"
},
{
"handle": "read_products",
"description": "Read products, variants, and collections"
},
{
"handle": "read_customers",
"description": "Read customer details and customer groups"
},
{
"handle": "read_draft_orders",
"description": "Read draft orders"
},
{
"handle": "unauthenticated_read_checkouts",
"description": "Read checkouts"
},
{
"handle": "unauthenticated_read_customers",
"description": "Read customer details and customer groups"
}
]
}
},
"extensions": {
"cost": {
"requestedQueryCost": 2,
"actualQueryCost": 2,
"throttleStatus": {
"maximumAvailable": 1000.0,
"currentlyAvailable": 998,
"restoreRate": 50.0
}
}
}
}
Solved! Go to the solution
This is an accepted solution.
Hey @heisenbaby, just wanted to touch base on this to ask and share a few things here!
If yes to the above, here are a few questions to work through:
1. Does this persist across multiple testing and/or development stores?
2. Are you using REST or GraphQL?
3. If yes, have you tested with both using their corresponding endpoints?
4. Can you replicate this across more than one app?
Feel free to let me know once you have worked through this, and I would be happy to try and pass on any other insights if needed - Cheers!
awwdam | API Support @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog
This is an accepted solution.
This is an accepted solution.
Hey @heisenbaby, just wanted to touch base on this to ask and share a few things here!
If yes to the above, here are a few questions to work through:
1. Does this persist across multiple testing and/or development stores?
2. Are you using REST or GraphQL?
3. If yes, have you tested with both using their corresponding endpoints?
4. Can you replicate this across more than one app?
Feel free to let me know once you have worked through this, and I would be happy to try and pass on any other insights if needed - Cheers!
awwdam | API Support @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog
Did you ever figure this out? I have the same issue 😞
This is an accepted solution.
accessMode: 'offline'
Was the key to making this work for me 😄
Can you elaborate please ? Where should I put the
accessMode: "offline"
?
So, this may or may not be the issue you are having, as it depends how you are requesting the Shopify API access token (which you in turn use when to request a storefront token).
The default when requesting access to the Shopify API is for tokens to have offline access (https://shopify.dev/apps/auth/oauth/access-modes), But if you are using the @Shopify/koa-shopify-auth module that a lot of the sample code uses, when you request the token with createShopifyAuth, you need to specify it, as it defaults to requesting tokens with 'online' access. And those don't work to create a Storefront token - or they didn't. It was a while since I did this and it was poorly documented (hence this thread).
createShopifyAuth({
accessMode: 'offline',
async afterAuth(ctx) {
... whatever
}
})
Best of luck!