403 when trying customerAccessTokenCreate

Retired Boards Appdev Custom Storefronts

Topic summary

A developer is encountering a 403 error when attempting to use the customerAccessTokenCreate mutation in Shopify’s Storefront API.

Current Setup:

  • Backend: Express + Firebase Functions
  • Successfully retrieving products via Postman using the Headless channel
  • Using unrestricted Storefront Access Token in headers

The Issue:

  • The mutation for creating customer access tokens is failing with a 403 Forbidden error
  • Code shows a POST endpoint attempting to authenticate users with email/password

Request for Help:

  • Seeking guidance on the correct implementation approach
  • Looking for code repositories with complete, working examples
  • Needs direction on proper authentication flow for customer login

The discussion remains open with no resolution yet. The corrupted/reversed text in the original post suggests potential encoding issues, but the core problem is clear: authentication mutation is being rejected by Shopify’s API.

Summarized with AI on November 21. AI used: claude-sonnet-4-5-20250929.
1

Hello everyone,

I have been trying to develop a way to login my users in my within the Storefront API.
I currently have an Express + Firebase functions that act as my backend.
So far I have created a test shop and installed the headless channel and I have been able to do a request using Postman to retrieve some products.
My current code:

const unrestrictedHeaders = {
    'Content-Type': 'application/graphql',
    'X-Shopify-Storefront-Access-Token': shopifyStoreFrontAPIUnrestricted
};

router.post('/create-token', async (req, res) => {
    const query = `mutation {
        customerAccessTokenCreate({"input": {"email": "${req.body.email}", "password": "${req.body.password}"}}) {
            customerAccessToken {
                accessToken
            }
            customerUserErrors {
                message
            }
            }
        }`;

    try {
        const response = await axios.post(shopifyEndPoint, { query }, { unrestrictedHeaders });
        res.send(response.data);
    } catch (error) {
        console.error(error);
        res.status(500).send(error.message);
    }

});

Any help pointing the right direction would be awesome. Also it would be great to have a code repository with examples as I haven’t been able to locate a proper one with full code examples.

Best,
Stockers