[API] Invalid API key or access token

Mike32
New Member
5 0 0

Hello,

We are consistently recieving an error when uploading a tracking number for our orders through the API, with the response showing the message "[API] Invalid API key or access token (unrecognized login or wrong password)", even though the credentials are valid, and have all appropriate permissions.This error occurs regardless of the actual API key we use, even when all permissions are enabled.

We are also seeing the same scenario when we attempt to upload a new item to our catalog, as well.

The credentials are being submitted using the base-64-encoded "APIKey:Password" format in an additional header named "Authorization", as described in other posts and the API documentation.

Below are the details of a recent request which was rejected, even though the request and the data itself is properly formatted and the credentials are valid. It is clear that the credentials are valid, as we are able to connect to and retrieve orders from the API with no problems.

 

API Key: d884bb8fed9221203710923ca8f28662

 

Request Details:

URL: https://godpsmusic.myshopify.com/admin/orders/5089613125/fulfillments.json

Action: POST

Accept: application/json

Content-Type: application/json

ContentLength: 88

Authorization: Basic ZDg4N...

Request Body: {"fulfillment":{"tracking_number": "9400110200881547551513","tracking_company": "USPS"}}

 

Response: The remote server returned an error: (401) Unauthorized. {"errors":"[API] Invalid API key or access token (unrecognized login or wrong password)"}

Replies 21 (21)
Alex
Shopify Staff
Shopify Staff
1561 81 321

Hey Mike,

It's possible that your base64 encoded string is adhering to RFC 2045 specification vs RFC 4648 specification. RFC 2045 base64 strings have newline characters every 60 characters and I believe an additional one on the end, while RFC 4648 base64 strings have all newline characters stripped out. We expect a base64 string adhering to RFC 4648.

If you're using Ruby, the only difference is in using the Base64.strict_encode64 method rather than Base64.encode64.

I hope that helps.

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Mike32
New Member
5 0 0

Hello Alex,

Thank you for this information. We have revisited this piece, and we've verified that the base-64 string contains no line breaks, and is using the RFC 4648 as you expect.

As mentioned in the original post, we are able to retrieve records from the Shopify API with no problem, using the same credentials formatted the same way. We can retrieve orders, fulfillment records, and product records, but we cannot "post" or "put" fulfillment or product records using these credentials.

It seems that the "read and write" option in the permissions for the API key is not correctly allowing the "write" access, while still allowing the "read" access.

Is there another setting for our account that must be changed to enable the private key as valid for the "write" permissions?

Or is there some other issue which is preventing the API key from being seen as valid during a "write" request, even though it is valid during a "read" request?

Alex
Shopify Staff
Shopify Staff
1561 81 321

Hey Mike,

Can you point me to a shop I can look at and the app name in question? I can dig in on our and and see if I can replicate.

Cheers.

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Mike32
New Member
5 0 0

Hi Alex,

Our shop is https://godpsmusic.myshopify.com, and it sounds like you are asking which public app we are using.

We are using a private app we've built to connect directly to our Shopify account from our backend systems. This private app allows us the customization we need in order to ensure our data from our backend maps to Shopify and vice-versa for a full automated connection between the two systems.

Is there a way that we can schedule a call with one of your team and work together on that call to capture the request from our system and the corresponding API response, and pinpoint the issue?

Thank you.

Andy_Lower
Shopify Partner
45 0 7

Forgive me if I'm way off the mark here, just thought I'd give it a go... when we're posting to Shopify, it looks as if our headers are different from yours:

"X-Shopify-Access-Token", Token
"Content-Type", "application/json"
"client_id", APIKey
"client_secret", SecretKey

Are you including these the same as we do? Not sure if it has anything to do with ours using the embedded sdk etc.

Kind regards, Andy Lower PandaCake Shopify Partners
Alex
Shopify Staff
Shopify Staff
1561 81 321

Hey Mike,

We aren't equipped to take calls in dev support. I'm not seeing any requests being made by the private api client in question in this past 30 days but that could just be a nuance of our logging engine. Could you provide an x-request-id (the more recent the better) I can refer to? You'd get this as a response header to these requests.

Cheers.

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Mike32
New Member
5 0 0

Hi Alex,

We've submitted a new request to "post" a new item, and we've received the same error again: 401 Unauthorized. {"errors":"[API] Invalid API key or access token (unrecognized login or wrong password)"} .

The X-Request-ID for this upload is 1a9cc8da-d1c4-4edd-aad0-355374e3bf79. Please investigate this and let us know what you find.

Thank you.

Mike32
New Member
5 0 0

Hi Andy,

Thank you for the details. We've reviewed the headers you're using, and it appears that you are using the OAuth authentication methods, whereas our system is using the Private authentication methods from a Windows-based application, which has some differences in the credentials and how they are sent during the requests.

Alex
Shopify Staff
Shopify Staff
1561 81 321

Hey Mike,

Unfortunately the logs haven't been enough to indicate the problem but I had another observation.

If you were to make a POST request to /admin/products.json with no body and a bad auth header, you would receive a 401 response. If you fixed the header, you'd receive a 400 Bad Request response, since we obviously prioritize checking the authorization header before checking the structure of the request.

I was able to, as your api client, make an empty POST request to /admin/products.json that, if it had a proper auth header, would still result in a 400 response, so no data would be changed or created. I encoded the credentials as base64 and included the output in an `Authorization: Basic ...` header and was able to consistently pass the authentication check (resolving to a 400 response).

This tells me there is still something occurring in your architecture that's causing this, perhaps in how it's encoded if it's done perhaps slightly different across your get/post methods?

Cheers.

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Muhammad_Idrees
New Member
13 0 0

i also faceing the same above mentions issue, 

i also want to create my own custom checkout page on the page i want to get details of my product or customer and shop and i am unable to do that  even though my all cridentilas including api key and api secret key both are 100% assuere to be correct still i facing the error of 

 

stdClass Object
(
    [errors] => [API] Invalid API key or access token (unrecognized login or wrong password)
)

 

by this url  when i direct put it into my brower then i can fetch data

https://myapikey:myapisecretkey@themeatking.myshopify.com/admin/shop.json

but unfortunatly when i use to get these information using curl and then i  find the above shown error

Kindly help me  out

Alex
Shopify Staff
Shopify Staff
1561 81 321

Hey Muhammad.

When referencing your name and the shop URL I was able to find what I believe to be your private app. I test a call to shop.json using your credentials in curl with no issue. Are you using the password from your private app credentials or your shared secret? You will need to use the password:

curl "https://APIkey:Password@themeatking.myshopify.com/admin/shop.json"

Cheers.

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Jack_Lee3
Shopify Partner
63 0 1

Happens to us when creating products, especially on ONE SHOP just after MIDNIGHT EST

We see this event a couple times a week...but can create products on other shops and on this shop at other times.

 

cluboutdoors.myshopify.com

12:26 AM 8-8-2018, several failures.

Muhammad_Idrees
New Member
13 0 0

Hi Alex

i am also able to get the data by refrancing my cridentila in url but when i want to get access through curl and want to show the data of my shop, or order or product then i get the above mention error. if you share your personal email on my email idrees_android@outlook.com then i will share my private cirdentiol to you to completley digonos the real issue

Alex
Shopify Staff
Shopify Staff
1561 81 321

@jack can you please share an x-request-id response header you will have received after making the failing request?

@muhammad that won't be necessary. With a request-id I can infer your API key, and by extension, any private credentials you have that are related if necessary. Are you saying it just isn't working in curl?

Cheers.

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Muhammad_Idrees
New Member
13 0 0

Hi Alex

Yes it is not working in curl.

 

Alex
Shopify Staff
Shopify Staff
1561 81 321

Can you provide a request ID and show me what your curl request looks like (excluding credentials)?

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

bjsmasth_Admin
New Member
2 0 0

I think your problem is authorization header it should be Basic Og==

Rustproof
New Member
1 0 0

{"errors":"[API] Invalid API key or access token (unrecognized login or wrong password)"}

I had the same auth error when curling an api key for a public app vs. a private app. Once I setup the API key under a private app, then I was able to authenticate via curl.

 

 

To setup a new API key with a private app, just add this after your store name. 

myshopify.com/admin/apps/private

 

I'm not sure why my public API keys won't authenticate.

Yash_
Tourist
10 0 0

Yash__0-1613476898676.png

 

1 >     i create new app 

2 >     app is install without error DONE.

3  >     app in access_token and store url also get 

            i get all product using this api  \'/ 

GET /admin/api/2020-07/products.json

(IMAGE IN SHOW DISPLAY SHOT)

CODE BLOW

             ERROR >>>>  Array ( [errors] => [API] Invalid API key or access token (unrecognized login or wrong password) ) 1

Any solution of this error?????????????????????????????????????????????????????????????????

CODE>>

$products = shopify_call($token, $shop_url, "/admin/api/2021-01/products.json", array(), 'GET');

$products = json_decode($products['response'], JSON_PRETTY_PRINT);

echo print_r($products).'<br>'';