{"errors":"[API] Invalid API key or access token (unrecognized login or wrong password)"

Retired Boards Appdev Authentication

Topic summary

Main issue: Admin API calls return “Invalid API key or access token” in certain clients (ManyChat, React Native, local code), while the same credentials/URLs often work in a browser or Postman.

Key points and guidance:

  • Private app vs custom app: Private apps (key+password) are deprecated. New Custom Admin apps use an access token via header X-Shopify-Access-Token. There is no “password” for custom apps.
  • Auth methods:
    • Private apps (legacy): Basic auth with API key:password. Some clients reject credentials in URLs; use Authorization: Basic <base64(api_key:password)> instead of embedding in the URL.
    • Custom apps: Send X-Shopify-Access-Token: . Do not use key/secret in the URL or as Basic auth.
  • Scopes and install: Ensure required scopes (e.g., read_orders). After changing scopes, reinstall or update the app so the token has the new scopes.
  • Common pitfalls: Wrong shop domain (missing hyphens), mixing up Client ID/Key with Access Token (GraphQL), or sending headers incorrectly.

Endpoints/examples discussed: /admin/api/2019-04|2019-10 customers/orders JSON and search. Pagination noted (max 250/page).

Artifacts: Multiple screenshots showing headers, Postman success, and IDE vs app discrepancies.

Status: Partially resolved; correct approach depends on app type and proper header configuration.

Summarized with AI on January 2. AI used: gpt-5.
19

Hi @champ_jrdz,

Private apps have been deprecated in favour of Custom Admin apps and the authentication now uses and access token. You can read more about this in our development doc on Access Tokens for Custom Apps in the Shopify Admin.

Hope that helps.