Re: When to use Access Token and when Api Key

When to use Access Token and when Api Key

Arb_Hz
Visitor
1 0 1

Hi,

 

I am not a developer so this might be a basic question but help me out here.

 

I am using python Requests to get the order using following URL and it works fine.

url = "https://{API KEY}:{Admin @api Token}@mystore.myshopify.com/admin/api/2022-04/orders.json?status=any"

 

However when I connect to Google sheets through a connector ( Apipheny, which would be using App Script) I am using "X-Shopify-Access-Token" along with Admin API Token and it works fine too ( these are added in Header). If I use Api Key in place of X-Shopify-Access-Token it doesn't work.

 

So I am confused when to use API key and when to use X-Shopify-Access-Token ( what do we even call this?)

 

Thanks!

 

Replies 2 (2)

mahbubx1
Shopify Partner
2 0 0

I have the same confusion too. 

The following code example works in shopify python SDK

import shopify
url = f"https://:{admin_access_token}
@mystore.myshopify.com/admin" 
shopify.ShopifyResource.set_site(url)
shop = shopify.Shop.current()
print(shop.to_dict())

I mean, API_KEY is even not required. I explored a bit deep from my confusion. 
What I found from `pyactiveresource` module was, 

 

 

 

self.auth = base64.b64encode(('%s:%s' % (self.user, self.password)).encode('utf-8')).decode('utf-8')

 

 

 


Here,

self.password is definitely admin_access_token and self.user is either blank string or API_KEY is accepted. Yes, we are talking about custom app. 

From debug log, Basic Auth header is found which is base64 hashed string found from the above code. 

pyactiveresource.connection: request-headers:User-agent:ShopifyPythonAPI/12.0.0 Python/3.8.13
Authorization:Basic base64hashedstring

So, from my analogy, Python SDK is still using Basic Authentication without sending any X-Shopify-Access-Token  yet it works. 

This is confusing since,

 official Shopify Admin REST documentation asked to Include admin access token on X-Shopify-Access-Token header on all API queries. But it is still taking Basic Auth in old fashioned way

mahbubx1
Shopify Partner
2 0 0

According to github latest doc, the proper request should be sent as follows(if you already have admin access token from custom app),

import shopify

shopify_host = "https://mystore.myshopify.com"
api_version = '2022-07' # I used current latest version, you can use any that is available
admin_access_token = "XymsG.......sDff"
session = shopify.Session(shopify_host, api_version, admin_access_token)
shopify.ShopifyResource.activate_session(session)

shop = shopify.Shop.current()
print(shop.to_dict())

# Clear session
shopify.ShopifyResource.clear_session()


Above code sends access_token in header,
pyactiveresource.connection: request-headers:User-agent:ShopifyPythonAPI/12.0.0 Python/3.8.13
X-shopify-access-token:shpat****************************352