Has OAuth (Authorization code grant) default behaviour changed?

Technical Q&A
,

Topic summary

Reported issue: OAuth (authorization code grant) appears to be returning the wrong token type, seemingly changing default behavior without notice.

  • Symptoms observed over the past couple of weeks: customers become unauthorized about 24 hours after app setup. Investigation shows OAuth returning an online token instead of an intended offline token.
  • Initial mitigation: explicitly requesting an offline token when exchanging the code for an access token restored expected behavior for existing customers.
  • New development: despite specifying the offline token parameter, the flow suddenly began returning an online token again. This inconsistency contradicts expectations from the API documentation, which suggests no recent change.

Impact and concerns: unexpected token type causes customer disconnects and urgency, especially close to Black Friday.

Status: unresolved. The poster seeks clarification on whether behavior has changed and why the token type is fluctuating.

Summarized with AI on December 14. AI used: gpt-5.
1

Has current behaviour changed recently? API docs suggest not, but our behaviour is different (https://shopify.dev/docs/apps/build/authentication-authorization/access-tokens/authorization-code-grant#step-4-get-an-access-token)

We discovered in the past couple weeks that customers were getting unauthorised connections after 24hrs of setting up our app. I eventually discovered that the response returned via OAuth was no giving us an online token instead of an offline one.

To fix this, I’ve provided the property for an offline token as part of getting an access token, but it was a big problem for existing customers till we were able to add this in.

2

What is going on? I specified the offline token to work around this issue, and now all of a sudden, supplying that generates an online one!?!?!? Why are changes like this happening in the lead up to BF?!?