FROM CACHE - en_header

Storefront access token request: Token must be eligible to manage storefront tokens.

wakkoyakkodot
Tourist
4 0 1

i have a sales channel app with an access token with the following scopes. 

 

https --check-status --ignore-stdin --timeout=180 GET "fancy-pants-store-1.myshopify.com/admin/oauth/access_scopes.json" Content-Type:"application/json; charset=utf-8" X-Shopify-Access-Token:"<token>"

HTTP/1.1 200 OK
CF-Cache-Status: DYNAMIC
CF-RAY: 6a15ad8d2f1a2863-DFW
Connection: keep-alive
Content-Encoding: gzip
Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src https://cdn.shopify.com https://cdn.shopifycdn.net https://checkout.shopifycs.com https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://js.braintreegateway.com https://c.paypal.com https://maps.googleapis.com https://www.google-analytics.com https://v.shopify.com 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Faccess_scopes&source%5Bsection%5D=admin_api&source%5Buuid%5D=46b1cdd1-315d-4344-b030-bc869661c198
Content-Type: application/json; charset=utf-8
Date: Wed, 20 Oct 2021 22:28:13 GMT
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
HTTP_X_SHOPIFY_SHOP_API_CALL_LIMIT: 1/40
Referrer-Policy: origin-when-cross-origin
Server: cloudflare
Strict-Transport-Security: max-age=7889238
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Dc: gcp-us-east1,gcp-us-central1,gcp-us-central1
X-Download-Options: noopen
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: none
X-Request-ID: 46b1cdd1-315d-4344-b030-bc869661c198
X-ShardId: 138
X-ShopId: 55072620683
X-Shopify-API-Version: 2021-01
X-Shopify-Shop-Api-Call-Limit: 1/40
X-Shopify-Stage: production
X-Sorting-Hat-PodId: 138
X-Sorting-Hat-ShopId: 55072620683
X-Stats-ApiClientId: 5953411
X-Stats-ApiPermissionId: 315021164683
X-Stats-UserId: 71595327627
X-XSS-Protection: 1; mode=block; report=/xss-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Faccess_scopes&source%5Bsection%5D=admin_api&source%5Buuid%5D=46b1cdd1-315d-4344-b030-bc869661c198
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

{
    "access_scopes": [
        {
            "handle": "write_products"
        },
        {
            "handle": "write_customers"
        },
        {
            "handle": "write_draft_orders"
        },
        {
            "handle": "unauthenticated_write_checkouts"
        },
        {
            "handle": "unauthenticated_write_customers"
        },
        {
            "handle": "unauthenticated_read_customer_tags"
        },
        {
            "handle": "unauthenticated_read_content"
        },
        {
            "handle": "unauthenticated_read_product_listings"
        },
        {
            "handle": "unauthenticated_read_product_tags"
        },
        {
            "handle": "read_products"
        },
        {
            "handle": "read_customers"
        },
        {
            "handle": "read_draft_orders"
        },
        {
            "handle": "unauthenticated_read_checkouts"
        },
        {
            "handle": "unauthenticated_read_customers"
        }
    ]
}

 

the above works just fine but this fails.

>>>>
https --check-status  --timeout=180 POST "fancy-pants-store-1.myshopify.com/admin/api/2021-10/storefront_access_tokens.json" <<<'{"storefront_access_token": {"title": "Token"}}' Content-Type:"application/json; charset=utf-8" X-Shopify-Access-Token:"<token>"
<<<<
HTTP/1.1 403 Forbidden
CF-Cache-Status: DYNAMIC
CF-RAY: 6a15b1e40dc866b9-DFW
Connection: keep-alive
Content-Encoding: gzip
Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src https://cdn.shopify.com https://cdn.shopifycdn.net https://checkout.shopifycs.com https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://js.braintreegateway.com https://c.paypal.com https://maps.googleapis.com https://www.google-analytics.com https://v.shopify.com 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=create&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fstorefront_access_tokens&source%5Bsection%5D=admin_api&source%5Buuid%5D=933044f0-b47f-4234-88a3-b0a5647f5165
Content-Type: application/json; charset=utf-8
Date: Wed, 20 Oct 2021 22:31:11 GMT
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
HTTP_X_SHOPIFY_SHOP_API_CALL_LIMIT: 1/40
Referrer-Policy: origin-when-cross-origin
Server: cloudflare
Strict-Transport-Security: max-age=7889238
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Dc: gcp-us-central1,gcp-us-central1,gcp-us-central1
X-Download-Options: noopen
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: none
X-Request-ID: 933044f0-b47f-4234-88a3-b0a5647f5165
X-ShardId: 138
X-ShopId: 55072620683
X-Shopify-API-Version: 2021-10
X-Shopify-Shop-Api-Call-Limit: 1/40
X-Shopify-Stage: production
X-Sorting-Hat-PodId: 138
X-Sorting-Hat-ShopId: 55072620683
X-Stats-ApiClientId: 5953411
X-Stats-ApiPermissionId: 315021164683
X-Stats-UserId: 71595327627
X-XSS-Protection: 1; mode=block; report=/xss-report?source%5Baction%5D=create&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fstorefront_access_tokens&source%5Bsection%5D=admin_api&source%5Buuid%5D=933044f0-b47f-4234-88a3-b0a5647f5165
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

{
    "errors": "Token must be eligible to manage storefront tokens."
}

 

I've tried multiple apps and multiple stores, logging out of all sessions, even logging out of shopify.com. i've used incognito windows etc. nothing seems to work.

can you provide step by step instructions to create a "sales channel app" and get a storefront access token. We have proprietary app that gets the same error and I've tried the sample app here as well to the same affect: https://github.com/christopherdodd/shopify-koa-server

I see a number of other posts about the same error, and same suggestions keep getting repeated, that don't work. very frustrating.

Replies 5 (5)
wakkoyakkodot
Tourist
4 0 1

If someone else is having trouble with this. The below snippet worked for me. Seems setting the `accessMode` to `offline` is required, even though that's supposed to be the default value for that field and it isn't documented anywhere in the shopify docs. cheers.

 

        scopes: [
            "write_products",
            "write_customers",
            "write_draft_orders",
            "unauthenticated_write_checkouts",
            "unauthenticated_read_product_listings",
            "unauthenticated_read_product_tags"
        ],
        accessMode: "offline",
harishganapathi
New Member
2 0 0

Exactly can you tell where to added the access mode Flag. I am also stuck at this same issue for multiple days.

 

wakkoyakkodot
Tourist
4 0 1

Here's the full snippet. You specify the scopes, access mode and other params when you create the Shopify auth request.

 

    createShopifyAuth({
        apiKey: SHOPIFY_API_KEY,
        secret: SHOPIFY_API_SECRET_KEY,
        scopes: [
            "read_orders",
            "read_products",
            "read_customers",
            "write_draft_orders",
            "unauthenticated_write_checkouts",
            "unauthenticated_read_product_listings",
            "unauthenticated_read_product_tags"
        ],
        accessMode: "offline",

        afterAuth(ctx) {
            const { shop, accessToken } = ctx.session;

            console.log(`> session ${JSON.stringify(ctx.session)}`)

            console.log(`> shop origin  ${shop}`);
            console.log(`> access token ${accessToken}`);
        
            ctx.cookies.set("accessToken", accessToken, { httpOnly: false });
            ctx.cookies.set("shopOrigin", shop, { httpOnly: false });
            ctx.redirect("/");
        }
    })

 

harishganapathi
New Member
2 0 0

@wakkoyakkodot I hope this helps a lot of beginners like me. Thanks a ton. _/\_