Differences b/w vanity and canonical URLs when fetching access token

Hello!

I’ve noticed what seems to be different behavior between vanity and canonical shop URLs when fetching an access token via the /admin/oauth/access_token endpoint.

Here’s what I’m experiencing:

1. Initiate auth flow via https://vanity.myshopify.com/admin/oauth/authorize?client_id=CLIENT_ID&scope=SCOPES&redirect_uri=REDIRECT_URI

2. Shopify redirects user to canonical URL version: https://a1b2c3.myshopify.com/admin/oauth/authorize?client_id=CLIENT_ID&scope=SCOPES&redirect_uri=REDIRECT_URI

3. User authenticates, Shopify redirects back to REDIRECT_URI?code=CODE&shop=a1b2c3.myshopify.com

4. We use the code to then fetch an access token. Here’s where there is a difference b/w the two URLs:

• https://vanity.myshopify.com/admin/oauth/access_token → 401 error “[API] Invalid API key or access token (unrecognized login or wrong password)”
• https://a1b2c3.myshopify.com/admin/oauth/access_token → 200 success!

Is this expected? Is there a reason we can’t use the vanity URL when fetching an access token?

Thank you!

Hi Kweiberth,

This behaviour is expected as the vanity URL acts as a type of alias for the “true” URL - so for making API calls to authenticate we’d recommend you stick to the “true” URL. I do however recognise that it might be preferable to use the vanity URL though, so I’ll connect with the product team responsible for this area and make this feature request.

Hope this helps,

Hi Liam,

Thanks for the quick response! Makes sense we’d want to stick to the canonical URL. As a partner, we’re requesting data from the Shopify user, and they’re often giving us the vanity URL. It seems like some things work w/ the vanity URL (e.g. authorization URL to send the user to the login page) but other things don’t. Allowing the vanity URL to be used in all places would definitely be nice. Having this explicitly called out in the guides and API docs would also be nice.

Thanks again,

Kurt