This is a long time later, but I found out that the token you’re using is not a session token! It is a token that just represents the contents of inputData.
Topic summary
Main issue: API requests from a Checkout Post‑Purchase extension fail when using inputData.token as a “session token” for backend authentication. Servers (Rails, PHP/Laravel) report errors like “Session token had invalid API key” or InvalidAudienceError, because expected JWT claims are missing.
Findings:
- Decoded Post‑Purchase tokens lack key claims (aud, dest, exp, nbf, jti, sid) and even typ in header. Admin app tokens include these claims and validate correctly.
- The missing dest claim breaks libraries that require it (e.g., shopify-api-php), causing authentication exceptions.
- A suggested workaround (passing the token via storage from ShouldRender to Render) does not address validation; it only moves the same token around.
Latest update/clarification:
- inputData.token in Post‑Purchase is not a session token. It is a JWT that encodes the inputData payload, not intended for backend session authentication.
Implications:
- You cannot use inputData.token with standard session-token verification (koa-shopify-auth, ShopifyApp::JWT, shopify-api-php). A different auth approach is required for Post‑Purchase requests.
Status:
- No official fix or alternate token provided in thread; GitHub issue referenced without resolution. Discussion effectively identifies cause but remains open on recommended auth method.