Same issue for us. Any resolution?
Topic summary
Main issue: Multiple developers report 403 “API Access has been disabled” when calling Admin REST endpoints (e.g., /admin/api/2023-01|2023-04/shop.json) and OAuth scopes endpoint (/admin/oauth/access_scopes.json) on development/test stores. The problem began recently and persists.
What was tried:
- Verified app scopes and reinstalled apps; issue continued during OAuth reinstall.
- Checked rate limits; no throttling headers or limits hit.
- Confirmed API versions in use (2023-01 and 2023-04); OAuth endpoint is unversioned.
Key observations:
- In some cases, a fresh permanent “offline” access token is issued and scopes appear correct, yet subsequent GET to access_scopes.json returns 403.
- Protected Customer Data Access being in “draft” was suspected by some, but a staff reply clarified that protected data issues typically return null fields, not a 403.
Latest guidance (staff):
- Likely cause is a revoked or rotated access token. If scopes are correct and a current token is used but 403 persists, contact Shopify Support with app details and request IDs for investigation.
Status/outcome:
- No confirmed fix in-thread. One workaround was switching to another testing store. Issue remains open. Technical details (endpoints, tokens, headers) are central to the discussion.