Shopify GraphiQL API works for admin but not in storefront

Shopify GraphiQL API works for admin but not in storefront

14 0 1


i have been posting this issue over two week but no one can anser the questions.

i have an app it is public not private !


I use some variables for Admin side it works perfect!

url : /admin/api/2020-07/graphql.json

if (!is_null($token)) $request_headers[] = "X-Shopify-Access-Token: " . $token;
$request_headers[] = "Accept: application/json";
$request_headers[] = "Content-Type: application/json";
$request_headers[] = "Host: ".$shop;
$request_headers[] = "cache-control: no-cache";


$token variable is access key for shopify user who installs the app and i get the key durring installation.

I know it is different options for public app to use graphql api so i use same token for  strofront!

url : /api/2020-07/graphql.json

if (!is_null($token)) $request_headers[] = "X-Shopify-Storefront-Access-Token: " . $token;
$request_headers[] = "Accept: application/json";
$request_headers[] = "Content-Type: application/json";
$request_headers[] = "Host: ".$shop;
$request_headers[] = "cache-control: no-cache";


----> NOT OK!

response return empty and response code is 403

i did not understand what shopfy means in the documantation about "X-Shopify-Storefront-Access-Token"

i do not see any spesific key for this method. by the way my app is not in sale channel.

one test store installed the app and i am using access key for that store in $token; variaable.

if you ask where do i generate $token; variable, here is the answer:

$api_key = "ad610a996a4aa4f3546890eexxxxxxxx";
$shared_secret ="shpss_511156b13933c45808857dedxxxxxxxx";
$params = $_GET; // Retrieve all request parameters
if(isset( $_GET['hmac']))
$hmac = $_GET['hmac']; // Retrieve HMAC request parameter
$params = array_diff_key($params, array('hmac' => '')); // Remove hmac from params
ksort($params); // Sort params lexographically
$computed_hmac = hash_hmac('sha256', http_build_query($params), $shared_secret);
// Use hmac data to check that the response is from Shopify or not
if (hash_equals($hmac, $computed_hmac)) {
// Set variables for our request
$query = array(
"client_id" => $api_key, // Your API key
"client_secret" => $shared_secret, // Your app credentials (secret key)
"code" => $params['code'] // Grab the access key from the URL
// Generate access token URL
$access_token_url = "https://" . $params['shop'] . "/admin/oauth/access_token";
// Configure curl client and execute request
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $access_token_url);
curl_setopt($ch, CURLOPT_POST, count($query));
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($query));
$result = curl_exec($ch);
// Store the access token
$result = json_decode($result, true);
$access_token = $result['access_token'];

//$access_token is equals $token variable.

however, i cannot access data with graphql api for storefront api

please help me to solve this problem..

Thank you!

Replies 2 (2)

14 0 1

"status":"HTTP\/1.1 403 Forbidden\r",
"Date":"Sun, 23 Aug 2020 15",
"Set-Cookie":"__cfduid=dee7e7fedaf75df668529f0e99dc68a061598197281; expires=Tue, 22-Sep-20 15",
"Content-Security-Policy":"frame-ancestors 'none'; report-uri \/csp-report?source%5Baction%5D=query&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=api%2Fgraphql&source%5Bsection%5D=api&source%5Buuid%5D=d2881d60-818e-49a1-a648-31f9ebd9fdd7",
"X-XSS-Protection":"1; mode=block; report=\/xss-report?source%5Baction%5D=query&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=api%2Fgraphql&source%5Bsection%5D=api&source%5Buuid%5D=d2881d60-818e-49a1-a648-31f9ebd9fdd7",
"Expect-CT":"max-age=604800, report-uri=\"https",

Shopify Staff
318 42 61

Hey @Aljazari 

You might want to check out this documentation on getting the storefront access token:, specifically the part for public apps. 

Kevin_A | Solutions Engineer @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit or the Shopify Web Design and Development Blog