Re: Using access token for a store to call shopify python sdk

Using access token for a store to call shopify python sdk

2 0 0


Were creating a sales channel with an embedded app on the frontend. The frontend uses the app bridge to get the session token which has an accessToken field inside it. i pass the accessToken into the shopify python sdk with



session = shopify.Session(



then when i use this session to try and get all product listings from a store with the code 



def get_products(self):
        Get products
        with ShopifyClient( as client:
            product_listings = client.ProductListing.find()
            return [pl.to_dict() for pl in product_listings]



i get the error :



{"errors":"[API] Invalid API key or access token (unrecognized login or wrong password)"}%



Please how do i get the shopify api to work. i have tried the sales channel api key insted of the accessToken and i still get the same error.




Replies 4 (4)

Shopify Partner
58 5 8

I'm still trying to understand the 'complexity' of creating apps but as I understand it the app bridge sends a "session token" back to YOUR server.  That session token is just used by YOUR server to authenticate the request from YOUR own clientside code.  You have to already have either a online access token, fetched using the user id in the "session token" or an offline access token, usually stored in a db for the given shop, both from oauth.   What type of app are you making? public, custom-made-in-shop, custom-made-in-shopify-dev or private(deprecated) ?

2 0 0

Hi Thanks, we are making a sales-channel app. i do not understand what you mean tho. isint it the access token from the session token sent back to our server we use to call the shopify api? or is there another key were meant to be using? Thanks

Shopify Partner
58 5 8

Does your app perform oauth during installation?


When you first perform oauth you can use the grant code to get an access token.   You have to save that access token in a database so you can look it up later to authenticate your requests to shopify from your server.


I'm making an embedded admin app so I'm not sure if it differs but I think app bridge works the same way for a sales channel app.  The session token (a JWT token) just confirms that the client is who it says it is, you can get the shop and logged in user id.


There is some explanation here:

Specifically :


Unlike API access tokens, session tokens can't be used to make authenticated requests to Shopify APIs.




Shopify Partner
58 5 8

Although I'm making a custom app maybe my workflow will help:

  1. owner opens install link
  2. home page sees app is not installed and redirects to begin auth page
    1. in same cases you will need to redirect to special page to break the iframe here
  3. begin auth page creates authorization url and redirects to it
  4. owner agrees to install app, shopify redirects to callback page
  5. callback page authenticates url's hmac, then uses code to call shopify api to get access token, stores access token for the user id and shop or just shop (if using offline access token), then redirects back to home page
    1. if you need both online AND offline access tokens then this is a good place to perform an additional redirect after getting the online access token to also get an offline access token
  6. home page starts up app bridge and re-enters the iframe
  7. home page generates session token and makes call back to app server
  8. app server receives requests with session token, verifies session token (JWT), extracts shop and user id, uses shop/user_id to lookup access token, uses access token  to make request to shopify api, gets data back, returns data to the client


So session token (JWT) != access token.  And you can't get the access token from the session token as I understand it, but you need the fields to be able to lookup the correct access token from your database, these are the fields it contains:


This is actually still a little simplified because detecting if the app is installed in the shop is not intuitive and properly handling when a user logs out and you need to redirect to your auth from within the iframe is also complicated.