403 response when using Shopify-Storefront-Private-Token (DelegateAccessToken)

Hi all,

I’m working on an app that needs to perform action on behalf of a customer, which requires unauthenticated_write_customers scope. The app has such scope, so it has been used during the installation on the dev store I’m using.

I have been able to request delegate access token correctly with such a scope (tried both GraphQL and REST). However, when using the token in GraphQL request to Storefront API I’m always receiving 403 response with no body (thus explanation of what went wrong).

Include your delegate access token as a Shopify-Storefront-Private-Token header on requests from a server, such as the backend of a Hydrogen site.

Can someone help me to understand what I’m missing?

X-Request-ID: 90821ac8-eaf1-4eaf-94af-3e7e5fbea931

Thank you in advance!

UPD: I went back & forth with this and it seems that lots of Storefront API requests are not available for apps that are not Sales Channels (like my app). I will appreciate if someone from @Shopify_77 can confirm that the issue here is that my app is not a sales channel. If this is true, the situation is very unfortunate, since my app doesn’t require any sales channels features, it only works with customer accounts part of Storefront API. Some clarification from Shopify team is required here.

Would love a follow up here since I’m running into the exact same issue

Any news/insights? We are having the same issue. Shopify should urgently provide some docs how this should work. Running storefront API requests from a server is effectively unusable unless you have a very low-traffic site..

Thanks for your question about this. We’re rolling this out incrementally. The first priority was for Hydrogen, and is also why you’re able to find general details in our docs. Once we’re at 100% rollout we’ll update the developer changelog, and provide additional documentation on how to proper utilize the request headers you’ve identified.

I don’t have an exact timeline to share today, and while things can change, I feel fairly confident that you’ll see this be fully available later this quarter.

so what are the suggested solution for now?

use the header from client side?

X-Shopify-Storefront-Access-Token: "Access Token"

Yes. If not building with Hydrogen server side data fetching without risking being rate limited isn’t yet fully possible. Storefront API requests happening client side with a non delegate access token provided to the X-Shopify-Storefront-Access-Token is the preferred approach for now.

Hey everyone . We’re now live . Change log entry has been posted here with links to documentation.