Storefront API and SDKs

wakkoyakkodot · ‎10-20-2021

i have a sales channel app with an access token with the following scopes.

https --check-status --ignore-stdin --timeout=180 GET "fancy-pants-store-1.myshopify.com/admin/oauth/access_scopes.json" Content-Type:"application/json; charset=utf-8" X-Shopify-Access-Token:"<token>"

HTTP/1.1 200 OK
CF-Cache-Status: DYNAMIC
CF-RAY: 6a15ad8d2f1a2863-DFW
Connection: keep-alive
Content-Encoding: gzip
Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src https://cdn.shopify.com https://cdn.shopifycdn.net https://checkout.shopifycs.com https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://js.braintreegateway.com https://c.paypal.com https://maps.googleapis.com https://www.google-analytics.com https://v.shopify.com 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Faccess_scopes&source%5Bsection%5D=admin_api&source%5Buuid%5D=46b1cdd1-315d-4344-b030-bc869661c198
Content-Type: application/json; charset=utf-8
Date: Wed, 20 Oct 2021 22:28:13 GMT
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
HTTP_X_SHOPIFY_SHOP_API_CALL_LIMIT: 1/40
Referrer-Policy: origin-when-cross-origin
Server: cloudflare
Strict-Transport-Security: max-age=7889238
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Dc: gcp-us-east1,gcp-us-central1,gcp-us-central1
X-Download-Options: noopen
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: none
X-Request-ID: 46b1cdd1-315d-4344-b030-bc869661c198
X-ShardId: 138
X-ShopId: 55072620683
X-Shopify-API-Version: 2021-01
X-Shopify-Shop-Api-Call-Limit: 1/40
X-Shopify-Stage: production
X-Sorting-Hat-PodId: 138
X-Sorting-Hat-ShopId: 55072620683
X-Stats-ApiClientId: 5953411
X-Stats-ApiPermissionId: 315021164683
X-Stats-UserId: 71595327627
X-XSS-Protection: 1; mode=block; report=/xss-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Faccess_scopes&source%5Bsection%5D=admin_api&source%5Buuid%5D=46b1cdd1-315d-4344-b030-bc869661c198
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

{
    "access_scopes": [
        {
            "handle": "write_products"
        },
        {
            "handle": "write_customers"
        },
        {
            "handle": "write_draft_orders"
        },
        {
            "handle": "unauthenticated_write_checkouts"
        },
        {
            "handle": "unauthenticated_write_customers"
        },
        {
            "handle": "unauthenticated_read_customer_tags"
        },
        {
            "handle": "unauthenticated_read_content"
        },
        {
            "handle": "unauthenticated_read_product_listings"
        },
        {
            "handle": "unauthenticated_read_product_tags"
        },
        {
            "handle": "read_products"
        },
        {
            "handle": "read_customers"
        },
        {
            "handle": "read_draft_orders"
        },
        {
            "handle": "unauthenticated_read_checkouts"
        },
        {
            "handle": "unauthenticated_read_customers"
        }
    ]
}

the above works just fine but this fails.

>>>>
https --check-status  --timeout=180 POST "fancy-pants-store-1.myshopify.com/admin/api/2021-10/storefront_access_tokens.json" <<<'{"storefront_access_token": {"title": "Token"}}' Content-Type:"application/json; charset=utf-8" X-Shopify-Access-Token:"<token>"
<<<<
HTTP/1.1 403 Forbidden
CF-Cache-Status: DYNAMIC
CF-RAY: 6a15b1e40dc866b9-DFW
Connection: keep-alive
Content-Encoding: gzip
Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src https://cdn.shopify.com https://cdn.shopifycdn.net https://checkout.shopifycs.com https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://js.braintreegateway.com https://c.paypal.com https://maps.googleapis.com https://www.google-analytics.com https://v.shopify.com 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=create&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fstorefront_access_tokens&source%5Bsection%5D=admin_api&source%5Buuid%5D=933044f0-b47f-4234-88a3-b0a5647f5165
Content-Type: application/json; charset=utf-8
Date: Wed, 20 Oct 2021 22:31:11 GMT
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
HTTP_X_SHOPIFY_SHOP_API_CALL_LIMIT: 1/40
Referrer-Policy: origin-when-cross-origin
Server: cloudflare
Strict-Transport-Security: max-age=7889238
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Dc: gcp-us-central1,gcp-us-central1,gcp-us-central1
X-Download-Options: noopen
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: none
X-Request-ID: 933044f0-b47f-4234-88a3-b0a5647f5165
X-ShardId: 138
X-ShopId: 55072620683
X-Shopify-API-Version: 2021-10
X-Shopify-Shop-Api-Call-Limit: 1/40
X-Shopify-Stage: production
X-Sorting-Hat-PodId: 138
X-Sorting-Hat-ShopId: 55072620683
X-Stats-ApiClientId: 5953411
X-Stats-ApiPermissionId: 315021164683
X-Stats-UserId: 71595327627
X-XSS-Protection: 1; mode=block; report=/xss-report?source%5Baction%5D=create&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fstorefront_access_tokens&source%5Bsection%5D=admin_api&source%5Buuid%5D=933044f0-b47f-4234-88a3-b0a5647f5165
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

{
    "errors": "Token must be eligible to manage storefront tokens."
}

I've tried multiple apps and multiple stores, logging out of all sessions, even logging out of shopify.com. i've used incognito windows etc. nothing seems to work.

can you provide step by step instructions to create a "sales channel app" and get a storefront access token. We have proprietary app that gets the same error and I've tried the sample app here as well to the same affect: https://github.com/christopherdodd/shopify-koa-server

I see a number of other posts about the same error, and same suggestions keep getting repeated, that don't work. very frustrating.

wakkoyakkodot · ‎10-20-2021

more instances of the same error without any clear steps to fix the problem:

https://community.shopify.com/c/shopify-apis-and-sdks/getting-quot-token-must-be-eligible-to-manage-...4

https://community.shopify.com/c/shopify-apis-and-sdks/storefrontaccesstoken-request-quot-token-must-...

wakkoyakkodot · ‎10-21-2021

If someone else is having trouble with this. The below snippet worked for me. Seems setting the `accessMode` to `offline` is required, even though that's supposed to be the default value for that field and it isn't documented anywhere in the shopify docs. cheers.

        scopes: [
            "write_products",
            "write_customers",
            "write_draft_orders",
            "unauthenticated_write_checkouts",
            "unauthenticated_read_product_listings",
            "unauthenticated_read_product_tags"
        ],
        accessMode: "offline",

harishganapathi · ‎01-21-2022

Exactly can you tell where to added the access mode Flag. I am also stuck at this same issue for multiple days.

wakkoyakkodot · ‎01-21-2022

Here's the full snippet. You specify the scopes, access mode and other params when you create the Shopify auth request.

    createShopifyAuth({
        apiKey: SHOPIFY_API_KEY,
        secret: SHOPIFY_API_SECRET_KEY,
        scopes: [
            "read_orders",
            "read_products",
            "read_customers",
            "write_draft_orders",
            "unauthenticated_write_checkouts",
            "unauthenticated_read_product_listings",
            "unauthenticated_read_product_tags"
        ],
        accessMode: "offline",

        afterAuth(ctx) {
            const { shop, accessToken } = ctx.session;

            console.log(`> session ${JSON.stringify(ctx.session)}`)

            console.log(`> shop origin  ${shop}`);
            console.log(`> access token ${accessToken}`);
        
            ctx.cookies.set("accessToken", accessToken, { httpOnly: false });
            ctx.cookies.set("shopOrigin", shop, { httpOnly: false });
            ctx.redirect("/");
        }
    })

harishganapathi · ‎01-21-2022

@wakkoyakkodot I hope this helps a lot of beginners like me. Thanks a ton. _/\_

Storefront API and SDKs

Storefront access token request: Token must be eligible to manage storefront tokens.

Storefront access token request: Token must be eligible to manage storefront tokens.

Re: Storefront access token request: Token must be eligible to manage storefront tokens.

Re: Storefront access token request: Token must be eligible to manage storefront tokens.

Re: Storefront access token request: Token must be eligible to manage storefront tokens.

Re: Storefront access token request: Token must be eligible to manage storefront tokens.

Re: Storefront access token request: Token must be eligible to manage storefront tokens.

Community Blog Articles

Shopify Community

Support

Shopify

Quick Links