Storefront access token request: Token must be eligible to manage storefront tokens.

wakkoyakkodot
New Member
3 0 0

i have a sales channel app with an access token with the following scopes. 

 

https --check-status --ignore-stdin --timeout=180 GET "fancy-pants-store-1.myshopify.com/admin/oauth/access_scopes.json" Content-Type:"application/json; charset=utf-8" X-Shopify-Access-Token:"<token>"

HTTP/1.1 200 OK
CF-Cache-Status: DYNAMIC
CF-RAY: 6a15ad8d2f1a2863-DFW
Connection: keep-alive
Content-Encoding: gzip
Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src https://cdn.shopify.com https://cdn.shopifycdn.net https://checkout.shopifycs.com https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://js.braintreegateway.com https://c.paypal.com https://maps.googleapis.com https://www.google-analytics.com https://v.shopify.com 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Faccess_scopes&source%5Bsection%5D=admin_api&source%5Buuid%5D=46b1cdd1-315d-4344-b030-bc869661c198
Content-Type: application/json; charset=utf-8
Date: Wed, 20 Oct 2021 22:28:13 GMT
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
HTTP_X_SHOPIFY_SHOP_API_CALL_LIMIT: 1/40
Referrer-Policy: origin-when-cross-origin
Server: cloudflare
Strict-Transport-Security: max-age=7889238
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Dc: gcp-us-east1,gcp-us-central1,gcp-us-central1
X-Download-Options: noopen
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: none
X-Request-ID: 46b1cdd1-315d-4344-b030-bc869661c198
X-ShardId: 138
X-ShopId: 55072620683
X-Shopify-API-Version: 2021-01
X-Shopify-Shop-Api-Call-Limit: 1/40
X-Shopify-Stage: production
X-Sorting-Hat-PodId: 138
X-Sorting-Hat-ShopId: 55072620683
X-Stats-ApiClientId: 5953411
X-Stats-ApiPermissionId: 315021164683
X-Stats-UserId: 71595327627
X-XSS-Protection: 1; mode=block; report=/xss-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Faccess_scopes&source%5Bsection%5D=admin_api&source%5Buuid%5D=46b1cdd1-315d-4344-b030-bc869661c198
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

{
    "access_scopes": [
        {
            "handle": "write_products"
        },
        {
            "handle": "write_customers"
        },
        {
            "handle": "write_draft_orders"
        },
        {
            "handle": "unauthenticated_write_checkouts"
        },
        {
            "handle": "unauthenticated_write_customers"
        },
        {
            "handle": "unauthenticated_read_customer_tags"
        },
        {
            "handle": "unauthenticated_read_content"
        },
        {
            "handle": "unauthenticated_read_product_listings"
        },
        {
            "handle": "unauthenticated_read_product_tags"
        },
        {
            "handle": "read_products"
        },
        {
            "handle": "read_customers"
        },
        {
            "handle": "read_draft_orders"
        },
        {
            "handle": "unauthenticated_read_checkouts"
        },
        {
            "handle": "unauthenticated_read_customers"
        }
    ]
}

 

the above works just fine but this fails.

>>>>
https --check-status  --timeout=180 POST "fancy-pants-store-1.myshopify.com/admin/api/2021-10/storefront_access_tokens.json" <<<'{"storefront_access_token": {"title": "Token"}}' Content-Type:"application/json; charset=utf-8" X-Shopify-Access-Token:"<token>"
<<<<
HTTP/1.1 403 Forbidden
CF-Cache-Status: DYNAMIC
CF-RAY: 6a15b1e40dc866b9-DFW
Connection: keep-alive
Content-Encoding: gzip
Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src https://cdn.shopify.com https://cdn.shopifycdn.net https://checkout.shopifycs.com https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://js.braintreegateway.com https://c.paypal.com https://maps.googleapis.com https://www.google-analytics.com https://v.shopify.com 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=create&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fstorefront_access_tokens&source%5Bsection%5D=admin_api&source%5Buuid%5D=933044f0-b47f-4234-88a3-b0a5647f5165
Content-Type: application/json; charset=utf-8
Date: Wed, 20 Oct 2021 22:31:11 GMT
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
HTTP_X_SHOPIFY_SHOP_API_CALL_LIMIT: 1/40
Referrer-Policy: origin-when-cross-origin
Server: cloudflare
Strict-Transport-Security: max-age=7889238
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Dc: gcp-us-central1,gcp-us-central1,gcp-us-central1
X-Download-Options: noopen
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: none
X-Request-ID: 933044f0-b47f-4234-88a3-b0a5647f5165
X-ShardId: 138
X-ShopId: 55072620683
X-Shopify-API-Version: 2021-10
X-Shopify-Shop-Api-Call-Limit: 1/40
X-Shopify-Stage: production
X-Sorting-Hat-PodId: 138
X-Sorting-Hat-ShopId: 55072620683
X-Stats-ApiClientId: 5953411
X-Stats-ApiPermissionId: 315021164683
X-Stats-UserId: 71595327627
X-XSS-Protection: 1; mode=block; report=/xss-report?source%5Baction%5D=create&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fstorefront_access_tokens&source%5Bsection%5D=admin_api&source%5Buuid%5D=933044f0-b47f-4234-88a3-b0a5647f5165
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

{
    "errors": "Token must be eligible to manage storefront tokens."
}

 

I've tried multiple apps and multiple stores, logging out of all sessions, even logging out of shopify.com. i've used incognito windows etc. nothing seems to work.

can you provide step by step instructions to create a "sales channel app" and get a storefront access token. We have proprietary app that gets the same error and I've tried the sample app here as well to the same affect: https://github.com/christopherdodd/shopify-koa-server

I see a number of other posts about the same error, and same suggestions keep getting repeated, that don't work. very frustrating.

Replies 2 (2)
wakkoyakkodot
New Member
3 0 0

If someone else is having trouble with this. The below snippet worked for me. Seems setting the `accessMode` to `offline` is required, even though that's supposed to be the default value for that field and it isn't documented anywhere in the shopify docs. cheers.

 

        scopes: [
            "write_products",
            "write_customers",
            "write_draft_orders",
            "unauthenticated_write_checkouts",
            "unauthenticated_read_product_listings",
            "unauthenticated_read_product_tags"
        ],
        accessMode: "offline",