GraphQL Calls from Postman - 403 Forbidden, REST Works Ok, GraphiQL App works

Retired Boards Appdev Graphql Basics And Troubleshooting
1

Hello all, having some struggles in starting testing using GraphQL. I’d appreciate any help or insights you may have! TIA.

What am I trying to do?

  • Test some GraphQL calls from Postman before starting to do so via code.

What’s the issue?

  • I keep getting a 403 forbidden response

What have I tried?

  • Graph calls from Shopify GraphiQL App within the development store work fine
  • Rest API calls are working fine using the private app key and pwd
  • I have set Orders, transactions, Fulfillments access to read/write
  • POST to: https://.myshopify.com/api/2019-07/graphql.json
  • I’ve set Authorization to NONE
  • I’ve added 2 headers:
    • Content-Type: application/graphql
    • X-Shopify-Access-Token:

What am I doing wrong?

Private App Pwd.PNG
Private App Pwd.PNG987×217 17.6 KB

ORder read permission.PNG

Graph Postman Call.PNG
Graph Postman Call.PNG1191×990 62.4 KB

2

Hi @MozzoERP ,

Sounds like you are requesting a resource that you don’t have permission to, but I can’t confirm without seeing your query or searching the request-id for one of the failed requests. Can you provide one or both of those?

Cheers,

3

Hi @Busfox ,

Thanks for your reply.

Here is the X-Request-ID:

[{“key”:“X-Request-ID”,“value”:“b398fce7-a9e6-4816-af5c-db44d8737696”,“description”:“Custom header”,“enabled”:true,“disableEdit”:true,“message”:“Custom header”}]

And here is one of several queries I’ve tried.

{
  shop {
    products(first: 5) {
      edges {
        node {
          id
          handle
        }
      }
      pageInfo {
        hasNextPage
      }
    }
  }
}
4

Hi @Busfox , was this the info you needed or is the request Id some other value?

5

Anyone else able to perform GraphQL calls from postman using a private app password?

6

Anyone? @Busfox ? Bueller? :slight_smile:

7

Hey @MozzoERP ,

I’m not seeing much aside from a 403 error. Is your secret being passed in the X-Shopify-Access-Token header properly in Postman? I tested this in Insomnia and it works fine. I also test in Postman and had no issues.

8

When I look at the postman code it is showing this (myshop and token changed for security)

curl -X POST \
  https://<myshop>.myshopify.com/api/2019-07/graphql.json \
  -H 'Content-Type: application/graphql' \
  -H 'X-Shopify-Access-Token: 40351a29a725c88cdc0bbfc93322b9ac' \

Which looks identical to this Shopify provided example.

So I guess the only thing left is the value that I’m providing for the “X-Shopify-Access-Token”.

The authentication section of the documentation on this is not super explicit, so maybe I’m not doing something right here.

  1. I created a private app in my development store
  2. I used the API Password as the X-Shopify-Access-Token value in the header as seen in the curl request above
  3. I’ve also tried using the Access Token that gets generated when I connect my app to my dev store, with the same results.
  4. You mention “is your secret being passed properly…” a.) are you referring to something different than the API Password, i.e. you don’t mean the “Shared Secret” right? Also, see the curl example above, is that correct?
  5. So to confirm, there is no user value that has to be passed, just the X-Shopify-Access-Token with the oauth access token OR the private App Password?
  6. The private app verbiage states that private apps use basic authentication and provide an example url. If I use that means of authentication, I get a different error.

    1. Private App Pwd 2.PNG
      Private App Pwd 2.PNG1166×477 56.6 KB

    2.    {
       "errors": [
           {
               "message": "Parse error on \"query\" (STRING) at [1, 2]",
               "locations": [
                   {
                       "line": 1,
                       "column": 2
                   }
               ]
           }
       ]
   }
1 Like
9

@Busfox . Found the solution in this post (The net: use content-type of application/json, not application/graphql when using client access tools like Postman). The documentation is a bit misleading. We wasted a lot of time on this that a sentence or two would clear up in the docs. Hope it gets updated soon to help others.

1 Like