storefrontAccessTokenCreate mutation always returns "Access Denied"

tolgapaksoy
Shopify Partner
91 7 55

I am working on an app that also requires a storefront access token. I am setting it up to create an access token when the app is logged into.

But it always returns an error:

mutation storefrontAccessTokenCreate($input: StorefrontAccessTokenInput!) {
  storefrontAccessTokenCreate(input: $input) {
    storefrontAccessToken {
      accessToken
    }
    userErrors {
      field
      message
    }
  }
}

And variables:

{
	"input": {
    "title": "Test name"
  }
}

Which outputs:

{
  "data": {
    "storefrontAccessTokenCreate": null
  },
  "errors": [
    {
      "message": "StorefrontAccessTokenCreate access denied",
      "locations": [
        {
          "line": 2,
          "column": 3
        }
      ],
      "path": [
        "storefrontAccessTokenCreate"
      ]
    }
  ],
  "extensions": {
    "cost": {
      "requestedQueryCost": 10,
      "actualQueryCost": 10,
      "throttleStatus": {
        "maximumAvailable": 1000.0,
        "currentlyAvailable": 990,
        "restoreRate": 50.0
      }
    }
  }
}

 

Do I need a special scope to call storefrontAccessTokenCreate? If yes, then this isn't documented at all on pages https://shopify.dev/docs/admin-api/graphql/reference/mutation/storefrontaccesstokencreate?api[versio... and https://shopify.dev/docs/admin-api/access-scopes .

Replies 15 (15)
tolgapaksoy
Shopify Partner
91 7 55

Here's the X-Request-ID: 657060d8-01ec-46b2-a5bf-a76a83cf2a22

_JB
Shopify Staff
Shopify Staff
836 99 211

Hey @tolgapaksoy,

You need to request the unauthenticated scopes during Oauth. Details are in the docs you linked: https://shopify.dev/docs/storefront-api/getting-started#requesting-unauthenticated-scopes

JB | Solutions Engineer @ Shopify 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

tolgapaksoy
Shopify Partner
91 7 55

Hi @_JB 

So in order to create a Storefront token from the Admin API, I need to include all scopes from Storefront token also in my OAuth scopes for Admin API?

I just tried doing that with Request 29f77578-0646-4efe-80c3-65f03a8cb79a and it still gives me the same error.

_JB
Shopify Staff
Shopify Staff
836 99 211

Hey @tolgapaksoy,

I just pulled up that request but I'm still not seeing the unauthenticated scopes. The scopes I'm referring to all begin with the word unauthenticated, full list can be found here.

Keep in mind that if you're testing on a shop where the app was installed previously, you'll need to update the scopes first. You can do this by deleting the app and requesting the new scopes during install, or redirect the user back to Oauth with the new scopes included in the URL.

JB | Solutions Engineer @ Shopify 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

yakpak_rahulm
Excursionist
13 0 4

Hi!

I'm seeing the same behavior. I'm receiving a "StorefrontAccessTokenCreate access denied" when I try a storefrontAccessTokenCreate mutation. I have the unauthenticated_ access scopes and uninstalled + reinstalled the app to make sure they've been set. Also, my app is a sales channel (in development phase). Here is one of the request IDs: 226d2e92925f59d2107d136ed948c228.

I've also tried sending the request from the GraphiQL explorer tool (from my test shop) and receive the same "access denied" error. Is there anything I can do about this?

Thanks,
Rahul

 

yakpak_rahulm
Excursionist
13 0 4

@_JB are you still the right POC for this issue?

yakpak_rahulm
Excursionist
13 0 4

I've solved this issue by making the access mode for my Admin API's access token "offline". For Shopify, I would recommend adding this to the Storefront API access token documentation since it's an implicit requirement.

kuwakino
New Member
1 0 1

thanks @yakpak_rahulm  I was facing the same.

for the ones who wants to use the offline mode:
https://shopify.dev/concepts/about-apis/authentication#offline-access

https://shopify.dev/tutorials/authenticate-with-oauth#step-2-ask-for-permission

 

I was using koa-auth library, and it includes : &grant_options%5B%5D=per-user
on the query params.

yakpak_rahulm
Excursionist
13 0 4

Using "offline" access mode is causing graphQL calls to be redirected to "/auth". @_JB is there a way to create an "offline" access token to fetch a storefront access token upon installation, AND an "online" access token on every auth to make graphQL queries?

ssagli
Tourist
9 0 3

Have you received any answer from the support team? I am having the same issue where I have all of the unauthenticated scopes listed, mode is on offline and access token passed in.

_JB
Shopify Staff
Shopify Staff
836 99 211

Hey @yakpak_rahulm,

Thanks for outlining how you solved it.

@yakpak_rahulm and @ssagli can you confirm if you're seeing the redirect to /auth while using an HTTP client like Postman or Insomia? If so this is likely related to cookies being sent with the request. Deleting the cookies from your client and resending the request should fix it. If that doesn't explain it, please record the X-Request-ID value from the response header of your call, and I'll check the logs for more details.

JB | Solutions Engineer @ Shopify 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

yakpak_rahulm
Excursionist
13 0 4

Hi @_JB,

I'm seeing the redirect to /auth directly in the Shopify app. I'm also using tokens to authorize (not cookies), so I don't think that's the cause. However, I solved this issue by requesting and online AND offline token, and using the online token for API calls from my Shopify app.

 

Best,
Rahul

ssagli
Tourist
9 0 3

I was trying to request access from my frontend thinking that I could when it should have been from my backend. Thank you so much for your help!

dandandandandan
New Member
1 0 0

Is this not possible with a public app? I was able to successfully created a storefrontAccessToken via Admin API for a custom app, but not a public one.

mariusbld
Shopify Partner
1 0 0

I was getting the same error because my app was not a Sales Channel. I converted it to a Sales Channel and now it works.