FROM CACHE - en_header
Promotion image

Access token in session is always Online not Offline as expected

Solved

Access token in session is always Online not Offline as expected

dansspify
Shopify Partner
5 1 0
‎05-15-2025 01:47 PM

According to the docs, the access token in my session server side should by default be an Offline type token ('shpat') however I have recently started always seeing an Online type token ('shpua').

I have tried changing the direct api mode in my TOML as per:

[access.admin]
direct_api_mode = "offline"

Still no joy.

I am using the Node Template:
https://github.com/Shopify/shopify-app-template-node

 

1.) What am I missing in order to always have the token as an Offline type token?

2.) If something's changed in the API, how can I get the Offline token from an Online token?

Labels:
757 Views
0 Likes
Report
Accepted Solution (1)
In response to jaka_man

dansspify
Shopify Partner
5 1 0
‎05-21-2025 09:22 AM

This is an accepted solution.

Ok well that at least clears this up, looks like I've been slapped with a giant red herring.

For others reading this:

 

- Either see the above suggestion for exchanging an ID token for an Offline Access Token or

- If you're using a template like the Node one that I am (see OP) then you will already have the token in the res.local.shopify.session object. I believe the flag 'isOnline' can be used to identify whether that is an Online or Offline token.

And finally - ignore the token prefix!

View solution in original post

494 Views
0 Likes
Report
Replies 6 (6)

jaka_man
Shopify Partner
8 0 0
‎05-19-2025 09:40 PM
Hi Dansspify,

To exchange a session token for an offline access token, make a token exchange request with the requested_token_type parameter set to: urn:shopify:params:oauth:token-type:offline-access-token
This will return a long-lived offline access token. You can refer to Shopify’s official documentation for details:

Let me know if you run into any issues.
- Found this useful? A Like or Solution mark helps others find it too!
579 Views
0 Likes
Report
In response to jaka_man

dansspify
Shopify Partner
5 1 0
‎05-21-2025 04:35 AM

In doing that I still get back an Online token:

```
curl -X POST \
https://myshopname.myshopify.com/admin/oauth/access_token \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d '{
"client_id": "my client id",
"client_secret": "my secret",
"grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
"subject_token": "JWT received from app bridge in requests",
"subject_token_type": "urn:ietf:params:oauth:token-type:id_token",
"requested_token_type": "urn:shopify:params:oauth:token-type:offline-access-token"
}'
```

Returns:

```
{
"access_token": "shpua_d1...",
"scope": "read_discounts,read_inventory,read_metaobject_definitions,read_shipping,write_draft_orders,write_orders,write_products"
}
```

I get back an Online token.

532 Views
0 Likes
Report
In response to dansspify

jaka_man
Shopify Partner
8 0 0
‎05-21-2025 06:18 AM

Please inspect the response from the token exchange request.

 

  • If the response contains an online access token, it will include the following fields:
    access_token, scope, expires_in, associated_user_scope, and associated_user.

  •  

    If it’s an offline access token, the response will only include:
    access_token and scope.

and then you will know that is offline or online access token

Let me know if you need help verifying the response data.

 

- Found this useful? A Like or Solution mark helps others find it too!
518 Views
0 Likes
Report
In response to jaka_man

dansspify
Shopify Partner
5 1 0
‎05-21-2025 06:47 AM

My response is like:

{
"access_token": "shpua_d1...",
"scope": "read_discounts,read_inventory,read_metaobject_definitions,read_shipping,write_draft_orders,write_orders,write_products"
}

So the question is - I have been assuming all along that the token prefix 'sphua_' indicates 'Online' and 'sphat_' indicates 'Offline'...

Are the prefixes here a red herring and in fact I just need to check the response shape (as you have explained in your previous reply) to denote the token type, ignoring anything to do with the prefix?

514 Views
0 Likes
Report
In response to dansspify

jaka_man
Shopify Partner
8 0 0
‎05-21-2025 07:23 AM

There is no official documentation explaining the prefixes in access tokens. You can disregard the prefix and treat the token like any other valid access token.
Hope this helps

- Found this useful? A Like or Solution mark helps others find it too!
507 Views
0 Likes
Report
In response to jaka_man

dansspify
Shopify Partner
5 1 0
‎05-21-2025 09:22 AM

This is an accepted solution.

Ok well that at least clears this up, looks like I've been slapped with a giant red herring.

For others reading this:

 

- Either see the above suggestion for exchanging an ID token for an Offline Access Token or

- If you're using a template like the Node one that I am (see OP) then you will already have the token in the res.local.shopify.session object. I believe the flag 'isOnline' can be used to identify whether that is an Online or Offline token.

And finally - ignore the token prefix!

495 Views
0 Likes
Report

Community Blog Articles

May '25.jpg
Celebrating our Members of May '25

June brought summer energy to our community. Members jumped in with solutions, clicked ...

By JasonH Jun 5, 2025
441285313-63bbef53-3fbe-4e8b-a706-5b37afa90468.png
Automate store operations with Shopify Academy & Coding with Jan

Learn how to build powerful custom workflows in Shopify Flow with expert guidance from ...

By Jacqui May 7, 2025
April 25.jpg
Highlighting our Members of April '25

Did You Know? May is named after Maia, the Roman goddess of growth and flourishing! ...

By JasonH May 2, 2025
Terms of Service Privacy Policy