FROM CACHE - en_header

Storefront access token request: Token must be eligible to manage storefront tokens.

wakkoyakkodot
Tourist
4 0 1
‎10-20-2021 06:36 PM

i have a sales channel app with an access token with the following scopes. 

 

https --check-status --ignore-stdin --timeout=180 GET "fancy-pants-store-1.myshopify.com/admin/oauth/access_scopes.json" Content-Type:"application/json; charset=utf-8" X-Shopify-Access-Token:"<token>"

HTTP/1.1 200 OK
CF-Cache-Status: DYNAMIC
CF-RAY: 6a15ad8d2f1a2863-DFW
Connection: keep-alive
Content-Encoding: gzip
Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src https://cdn.shopify.com https://cdn.shopifycdn.net https://checkout.shopifycs.com https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://js.braintreegateway.com https://c.paypal.com https://maps.googleapis.com https://www.google-analytics.com https://v.shopify.com 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Faccess_scopes&source%5Bsection%5D=admin_api&source%5Buuid%5D=46b1cdd1-315d-4344-b030-bc869661c198
Content-Type: application/json; charset=utf-8
Date: Wed, 20 Oct 2021 22:28:13 GMT
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
HTTP_X_SHOPIFY_SHOP_API_CALL_LIMIT: 1/40
Referrer-Policy: origin-when-cross-origin
Server: cloudflare
Strict-Transport-Security: max-age=7889238
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Dc: gcp-us-east1,gcp-us-central1,gcp-us-central1
X-Download-Options: noopen
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: none
X-Request-ID: 46b1cdd1-315d-4344-b030-bc869661c198
X-ShardId: 138
X-ShopId: 55072620683
X-Shopify-API-Version: 2021-01
X-Shopify-Shop-Api-Call-Limit: 1/40
X-Shopify-Stage: production
X-Sorting-Hat-PodId: 138
X-Sorting-Hat-ShopId: 55072620683
X-Stats-ApiClientId: 5953411
X-Stats-ApiPermissionId: 315021164683
X-Stats-UserId: 71595327627
X-XSS-Protection: 1; mode=block; report=/xss-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Faccess_scopes&source%5Bsection%5D=admin_api&source%5Buuid%5D=46b1cdd1-315d-4344-b030-bc869661c198
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

{
    "access_scopes": [
        {
            "handle": "write_products"
        },
        {
            "handle": "write_customers"
        },
        {
            "handle": "write_draft_orders"
        },
        {
            "handle": "unauthenticated_write_checkouts"
        },
        {
            "handle": "unauthenticated_write_customers"
        },
        {
            "handle": "unauthenticated_read_customer_tags"
        },
        {
            "handle": "unauthenticated_read_content"
        },
        {
            "handle": "unauthenticated_read_product_listings"
        },
        {
            "handle": "unauthenticated_read_product_tags"
        },
        {
            "handle": "read_products"
        },
        {
            "handle": "read_customers"
        },
        {
            "handle": "read_draft_orders"
        },
        {
            "handle": "unauthenticated_read_checkouts"
        },
        {
            "handle": "unauthenticated_read_customers"
        }
    ]
}

 

the above works just fine but this fails.

>>>>
https --check-status  --timeout=180 POST "fancy-pants-store-1.myshopify.com/admin/api/2021-10/storefront_access_tokens.json" <<<'{"storefront_access_token": {"title": "Token"}}' Content-Type:"application/json; charset=utf-8" X-Shopify-Access-Token:"<token>"
<<<<
HTTP/1.1 403 Forbidden
CF-Cache-Status: DYNAMIC
CF-RAY: 6a15b1e40dc866b9-DFW
Connection: keep-alive
Content-Encoding: gzip
Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src https://cdn.shopify.com https://cdn.shopifycdn.net https://checkout.shopifycs.com https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://js.braintreegateway.com https://c.paypal.com https://maps.googleapis.com https://www.google-analytics.com https://v.shopify.com 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=create&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fstorefront_access_tokens&source%5Bsection%5D=admin_api&source%5Buuid%5D=933044f0-b47f-4234-88a3-b0a5647f5165
Content-Type: application/json; charset=utf-8
Date: Wed, 20 Oct 2021 22:31:11 GMT
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
HTTP_X_SHOPIFY_SHOP_API_CALL_LIMIT: 1/40
Referrer-Policy: origin-when-cross-origin
Server: cloudflare
Strict-Transport-Security: max-age=7889238
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Dc: gcp-us-central1,gcp-us-central1,gcp-us-central1
X-Download-Options: noopen
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: none
X-Request-ID: 933044f0-b47f-4234-88a3-b0a5647f5165
X-ShardId: 138
X-ShopId: 55072620683
X-Shopify-API-Version: 2021-10
X-Shopify-Shop-Api-Call-Limit: 1/40
X-Shopify-Stage: production
X-Sorting-Hat-PodId: 138
X-Sorting-Hat-ShopId: 55072620683
X-Stats-ApiClientId: 5953411
X-Stats-ApiPermissionId: 315021164683
X-Stats-UserId: 71595327627
X-XSS-Protection: 1; mode=block; report=/xss-report?source%5Baction%5D=create&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fstorefront_access_tokens&source%5Bsection%5D=admin_api&source%5Buuid%5D=933044f0-b47f-4234-88a3-b0a5647f5165
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

{
    "errors": "Token must be eligible to manage storefront tokens."
}

 

I've tried multiple apps and multiple stores, logging out of all sessions, even logging out of shopify.com. i've used incognito windows etc. nothing seems to work.

can you provide step by step instructions to create a "sales channel app" and get a storefront access token. We have proprietary app that gets the same error and I've tried the sample app here as well to the same affect: https://github.com/christopherdodd/shopify-koa-server

I see a number of other posts about the same error, and same suggestions keep getting repeated, that don't work. very frustrating.

1,109 Views
0 Likes
Report
Replies 5 (5)
In response to wakkoyakkodot
wakkoyakkodot
Tourist
4 0 1
‎10-21-2021 03:09 PM

If someone else is having trouble with this. The below snippet worked for me. Seems setting the `accessMode` to `offline` is required, even though that's supposed to be the default value for that field and it isn't documented anywhere in the shopify docs. cheers.

 

        scopes: [
            "write_products",
            "write_customers",
            "write_draft_orders",
            "unauthenticated_write_checkouts",
            "unauthenticated_read_product_listings",
            "unauthenticated_read_product_tags"
        ],
        accessMode: "offline",
934 Views
0 Likes
Report
In response to wakkoyakkodot
harishganapathi
New Member
2 0 0
‎01-21-2022 01:32 PM

Exactly can you tell where to added the access mode Flag. I am also stuck at this same issue for multiple days.

 

476 Views
0 Likes
Report
In response to harishganapathi
wakkoyakkodot
Tourist
4 0 1
‎01-21-2022 01:36 PM

Here's the full snippet. You specify the scopes, access mode and other params when you create the Shopify auth request.

 

    createShopifyAuth({
        apiKey: SHOPIFY_API_KEY,
        secret: SHOPIFY_API_SECRET_KEY,
        scopes: [
            "read_orders",
            "read_products",
            "read_customers",
            "write_draft_orders",
            "unauthenticated_write_checkouts",
            "unauthenticated_read_product_listings",
            "unauthenticated_read_product_tags"
        ],
        accessMode: "offline",

        afterAuth(ctx) {
            const { shop, accessToken } = ctx.session;

            console.log(`> session ${JSON.stringify(ctx.session)}`)

            console.log(`> shop origin  ${shop}`);
            console.log(`> access token ${accessToken}`);
        
            ctx.cookies.set("accessToken", accessToken, { httpOnly: false });
            ctx.cookies.set("shopOrigin", shop, { httpOnly: false });
            ctx.redirect("/");
        }
    })

 

473 Views
Report
In response to wakkoyakkodot
harishganapathi
New Member
2 0 0
‎01-21-2022 01:48 PM

@wakkoyakkodot I hope this helps a lot of beginners like me. Thanks a ton. _/\_ 

468 Views
0 Likes
Report

Community Blog Articles

default image
We Answered Your Questions to Help You Get the Most Out of Your Shopify <> ...

Thank you to everyone who participated in our AMA with Klaviyo. It was great to see so man...

By Jacqui May 30, 2023
24-09-19241-65844.png
Introduction to Shopify Sales Channels

Photo by Marco Verch Sales channels on Shopify are various platforms where you can sell...

By Ollie May 25, 2023
default image
Shopify - Web Pixels Manager Sandbox FAQ

Summary of EventsBeginning in January of 2023, some merchants reported seeing a large amo...

By Trevor May 15, 2023
Terms of Service Privacy Policy