Bug Report: Intermittent `application_cant_be_loaded_misconfigured` on managed-install for already-installed apps

Technical Q&A
,
1

Bug Report: Intermittent application_cant_be_loaded_misconfigured on managed-install for already-installed apps

Summary

Calls to Shopify’s managed-install entry URL intermittently (~1 in 5–10 attempts) redirect the merchant to /store/{shop}/apps?oauth_error=application_cant_be_loaded_misconfigured instead of completing the install/no-op redirect to the app’s application_url. The error is non-deterministic and reproduces across three distinct apps against the same merchant shop, with no config changes on our side and no recent deployments.

Environment

  • Merchant shop: wilgotten.myshopify.com
  • Apps affected (all reproduce):
    • client_id = 8b3c66cf9f71b014e3a388e733cd025f (Wilgot local-ihor)
    • client_id = 91ac2acd04e348633993ca11d47db2d4 (Wilgot staging)
    • [third app client_id here]
  • App embedded flag: false on all three
  • Requested scopes: read_products
  • App status on shop: already installed (non-zero x-stats-apipermissionid on every response)
  • Install flow: Shopify managed installation + client_credentials token grant (non-embedded / standalone app pattern)
  • Region observed: responses traverse gcp-europe-west1, gcp-us-east1, gcp-europe-west4 (multi-region in x-dc header)
  • First observed: 2026-04-24
  • Frequency: ~10–20% of attempts

Reproduction

  1. Merchant is logged into admin.shopify.com as the shop owner of wilgotten.myshopify.com.
  2. Open either of these URLs in a fresh incognito browser tab (reproduces in both forms):
    • https://admin.shopify.com/oauth/install?client_id=8b3c66cf9f71b014e3a388e733cd025f
    • https://admin.shopify.com/store/wilgotten/oauth/install?client_id=8b3c66cf9f71b014e3a388e733cd025f
  3. Shopify returns HTTP 302. Observed Location header varies:
    • Success path (~85–90% of attempts): Location: https://<application_url>/?shop=wilgotten.myshopify.com&hmac=...&host=...&timestamp=... — our app loads normally and the flow completes.
    • Failure path (~10–15% of attempts): Location: https://admin.shopify.com/store/wilgotten/apps?oauth_error=application_cant_be_loaded_misconfigured — the error page is shown to the merchant.
  4. Repeating the same URL 5–15 times reliably reproduces at least one failure.

There is no configuration change, no shopify app deploy, no CLI process running, and no scope change between successful and failed attempts. Consecutive attempts seconds apart can flip from success to failure with no other variable changing.

Expected behavior

For an already-installed app with unchanged scopes, /oauth/install should consistently complete the no-op confirmation and redirect the browser to application_url. Behavior should be deterministic across attempts when nothing has changed.

Actual behavior

On ~1 in 5–10 attempts, Shopify returns a 302 to /store/{shop}/apps?oauth_error=application_cant_be_loaded_misconfigured without ever redirecting to application_url. The error message is generic and offers no actionable detail to either the merchant or the developer.

Sanitized HTTP traces

Shopify response on a failed attempt (status 302)

Relevant response headers (cookies, CF ray IDs redacted; Shopify-side correlation IDs kept):

HTTP/2 302
location: https://admin.shopify.com/store/wilgotten/apps?oauth_error=application_cant_be_loaded_misconfigured
x-stats-apiclientid: 1830279
x-stats-apipermissionid: 873895952759
x-stats-userid: 138926555511
x-shopify-shop-api-call-limit: 1/400
server-timing: upstream_processing;dur=101, upstream_verdict_flag_enabled;dur=1.606;desc="count"
x-dc: gcp-europe-west1,gcp-us-east1,gcp-us-east1,gcp-europe-west4,gcp-europe-west4
x-frame-options: DENY
content-security-policy: ...frame-ancestors 'none'...
report-uri: /csp-report?source%5Baction%5D=install&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Foauth&source%5Bsection%5D=admin&source%5Buuid%5D=<shopify-uuid>-<timestamp>
x-request-id: <see list below>

Notable points:

  • x-stats-apiclientid, x-stats-apipermissionid, x-stats-userid are populated, i.e. Shopify resolved the app, existing install record, and merchant user successfully before failing.
  • server-timing shows ~100 ms of server processing completed before the redirect.
  • server-timing also includes upstream_verdict_flag_enabled;dur=1.606;desc="count" — suggests an internal verdict/flag check was run.
  • The report-uri confirms the failure is surfaced by the admin/oauth controller’s install action.

Accompanying client-side telemetry (Shopify Monorail) on failure

A browser Monorail POST to https://monorail-edge.shopifysvc.com/v1/produce at the same moment returns 400 Bad Request:

{
  "schema_id": "admin_navigation_complete/1.1",
  "payload": {
    "app_version": "<shopify-admin-build-hash>",
    "manifest_route_id": "store-list:fallback",
    "pathname": "/oauth/install",
    "normalized_pathname": "",
    "duration": 1077.6,
    "full_page": true,
    "connection_type": "4g"
  }
}

manifest_route_id: "store-list:fallback" appears consistently on failed attempts — Shopify’s admin SPA fell back to the generic store-list manifest route rather than the expected install manifest route.

What we ruled out (all on our side)

  • App config drift: no shopify app deploy run in the observed window; no CLI processes active.
  • ngrok / local tunnel: reproduces on staging app (no tunnel), identical symptoms.
  • Our backend OAuth code: reproduces by pasting the Shopify /oauth/install URL directly in incognito, before any request hits our backend.
  • Popup / COOP / browser opener issues: reproduces in fresh tabs with no popup involvement.
  • application_url == redirect_urls[0] being equal: splitting them into distinct URLs did not change the failure rate.
  • URL form (/store/{shop}/ segment): reproduces with both the admin.shopify.com/oauth/install?client_id=X and admin.shopify.com/store/wilgotten/oauth/install?client_id=X forms.
  • Specific app misconfiguration: reproduces against three distinct apps with different Partner Dashboard records.

This strongly suggests the cause is Shopify-side, in the shared admin/oauth install controller or an upstream service it depends on.

What we’re asking for

  • Please look up the x-request-ids below and identify what the managed-install validator rejected on those specific attempts.
  • If this is a known issue with the managed-install flow for already-installed, non-embedded apps, please confirm and indicate whether a fix is in progress.
  • If it’s related to store-list:fallback manifest resolution, please indicate what triggers that fallback for an authenticated merchant who has x-stats-apipermissionid populated.

Failing x-request-ids

One line per observed failure. Each is taken from the x-request-id response header of the Shopify 302 on .../oauth/install....

x-request-id: 987cb601-30f3-4d4e-8fd1-9fdb443377cc-1777045201
x-request-id: ec4f2a0f-b8d1-48e1-a53b-165b7af83875-1777047448

Contact

  • Partner account: Wilgot AI AB
  • Primary contact: [email removed]
  • App IDs (listed above)
Occasional OAuth Error: "The application cannot be loaded, it may be misconfigured."
Occasional OAuth Error: : &quot;The application cannot be loaded, it may be misconfigured.&quot;