Access denied creating storefront access token

Shopify Apps
,

Topic summary

A developer is unable to create a storefrontAccessToken using Shopify’s GraphQL API, receiving “access denied” errors despite granting all unauthenticated access scopes. The app is public in draft state (not a sales channel) with extensive permissions including read/write for metaobjects, products, checkouts, and customers.

Key Finding:
The issue appears specific to the GraphiQL playground interface. The storefrontAccessTokenCreate mutation fails in the GraphQL explorer shown in the screenshot, but works correctly when called from:

  • Actual application code using a GraphQL client
  • Command-line tools (curl, Invoke-WebRequest)
  • Server-side GraphQL clients

Status: Resolved - this is a known limitation of the playground environment rather than a permissions issue. Developers should test the mutation outside the GraphiQL interface for successful token creation.

Summarized with AI on October 30. AI used: claude-sonnet-4-5-20250929.
1

I’m trying to create a storefrontAccessToken using the GraphQL API. Out of frustration, I have granted all unauthenticated access scopes, but it’s still not working—I keep getting “access denied.” What access scopes are required to create a storefrontAccessToken?

My app is currently public in draft state and it’s not a sales channel. These Access scopes have been granted -

read_metaobject_definitions,read_metaobjects,read_products,unauthenticated_read_checkouts,unauthenticated_read_content,unauthenticated_read_customer_tags,unauthenticated_read_customers,unauthenticated_read_metaobjects,unauthenticated_read_product_listings,unauthenticated_read_product_tags,unauthenticated_write_checkouts,unauthenticated_write_customers,write_metaobject_definitions,write_metaobjects

This is what i’m trying

Screenshot 2024-07-18 at 8.16.33 AM.png
Screenshot 2024-07-18 at 8.16.33 AM.png1847×875 75.9 KB

2 Likes
2

It seems like the storefrontAccessTokenCreate mutation simply doesn’t work in the GraphiQL interface shown in the screenshot. You have to make the request for a token from a real GraphQL client in your app code, or just make the GraphQL request with curl or Invoke-WebRequest on the command line.

1 Like
3

Encountered the same problem. It does work when using the graphql client on the server side, but on the playground the mutation fails.