Customer Access Tokens returned from my app are invalid

JSensback
Shopify Partner
2 0 1

I have an application that lets users register and login using the Storefront API. When a User logs-in, the storefront is asked for a Customer Access Token: 

 

mutation customerAccessTokenCreate($input: CustomerAccessTokenCreateInput!) {
  customerAccessTokenCreate(input: $input) {
    customerAccessToken {
      accessToken
      expiresAt
    }
  }
}

 

It returns what appears to be a valid JWT, but when this JWT is passed into a query for the users data, it returns a null user: 

 

query {
  customer(customerAccessToken: "access-token-goes-here") {
    id
    firstName
    lastName
    acceptsMarketing
    email
    phone
  }
}

returns:

{
  "data": {
    "customer": null
  }
}

What's odd is that if I use the customerAccessTokenCreate mutation directly through the Shopify GraphiQL editor, the JWT it returns is different and actually works to query for their data:

 

{
  "data": {
    "customer": {
      "id": "gid://shopify/Customer/xyz",
      "firstName": null,
      "lastName": null,
      "acceptsMarketing": false,
      "email": "whatever@whatever.com",
      "phone": null
    }
  }
}

Why might my application be returning JWTs that are invalid, but the GraphiQL editor returns valid ones?

Replies 2 (2)

JustinRadomski
Shopify Partner
1 0 0

I'm running into the same issue here using the 2023-04 Storefront API. Any attempt at using the accessTokens generated from my NextJS app's POST requests results in a null customer. 

 

Edit: I found the issue. Hopefully you're in the same boat as me and juggling two different Storefront Access Tokens (not user access tokens). One of them is from the Headless sales channel app and the other (with proper permissions) is coming from a custom app. I had the sales channel token with the incorrect permissions being used in the JWT login process. Why it was actually generating a user access token, I can't tell you, but switching to the correct Storefront access token did the trick and gave me the right user access tokens. 

JSensback
Shopify Partner
2 0 1
I've figured it out, for me anyway. The access tokens are shopify-app
specific, meaning tokens created within the GraphiQL editor only work
within the editor, and the access tokens created with your custom app that
connects your front-end to the storefront API only will work within your
front-end. Hope that made sense