401 Error when accessing Shopify Admin API from theme page

Hi everyone,

I created a custom subscription form in my shop. When user subscribe, I want to create a customer (without password) with Shopify’s REST Admin API.

But I keep getting 401 error with the request. I’m new to web development. By doing some research, it seems Shopify does not allow cross region access.

Any help will be appreciated!

Code:

var ajaxSubscribe = function(data) {
        
    $.ajax({
      type: 'POST',
      url: 'https://apikey:pwd@xx.myshopify.com/admin/api/2021-01/customers.json',
      contentType: "application/json",
      dataType: 'json',
      data: JSON.stringify(data),
      success: success,
      error: error
    });
  }

Wow, that’s scary.

Please remove your code immediately, and delete the key you’re using. It’s super important that you do both so don’t just remove the code.

By adding this code in a public way you’ve exposed a way to get (and alter) the private data for all customers on your shop. Shopify intentionally blocks change requests (so things like POST) that contains cookies, and this request originating from the browser will contain a cookie. It’s useful this measure is in place otherwise you may never have posted here, so not realised the ramifications.

Why do you need to create a customer in this way vs using the account creation flow already available?

Hi Jason,

Thanks for the reply!

I know there’s risk to expose apikey and password. And I informed the owner of shop. At moment, the shop only has a coming soon page which let user to subscribe for marketing purpose.

What I concern is later on when the main site online, which does not require user to have an account to make order either. It also has a subscription form like the coming soon site. So the inplace customer/register form template does not meet the requirement. The only way I found to add customer without creating account is through Admin API or Storefront API, but both of them requires authentication.

Please let me know if there’s any other way to add customer without creating account.

Have to ask another question - why does the account creation matter? I’m sure there’s good reasons just not seeing it with what I know so far.
A customer making an order will create a customer object, as would signing up for the newsletter. Maybe that gets you closer to your needs?

If you must do it via the API, create an app. Pass the details to your app, and have that securely create the customer. That way you don’t risk exposing customer details and landing yourself in potential legal/data breach issues.

The situation is the main site (actual shop) won’t be online for the next few months. At moment the index page is a static “coming soon page” which the owner wants to collect some protential customer contact information through the subscription form before the actual launch.

I throught about creating a private App. But how can I make request to the App if it’s hosted on a different domain? I imagine “Private App” is just another name for a private REST backend. I would face the same CORS error, wouldn’t I?