Invalid API key or access token while using access_token given by oauth/callback for my App

Shopify Apps

Topic summary

Admin API requests to the GraphQL endpoint return: “[API] Invalid API key or access token (unrecognized login or wrong password)” and prompt for username/password, despite using the access_token obtained via the OAuth callback.

Context: The app requests scopes read_orders and read_all_orders and calls /admin/api/2024-07/graphql.json with X-Shopify-Access-Token. The setup previously worked; no intentional changes reported.

Suggestions provided:

  • Ensure the app has “protected customer data access” enabled in the app dashboard under API Access. The author reports this is already granted and shared a screenshot (image attached).
  • Double‑check the curl example replaces the placeholder domain (your-development-store.myshopify.com) with the actual store’s myshopify.com URL.

Status: No confirmed resolution yet. Next action is to verify the domain substitution in the request and retest. The discussion remains open pending confirmation or further troubleshooting steps.

Summarized with AI on December 17. AI used: gpt-5.
1

When using below API

curl -X POST \
https://your-development-store.myshopify.com/admin/api/2024-07/graphql.json \
-H 'Content-Type: application/json' \
-H 'X-Shopify-Access-Token: {access_token}' \
-d '{
"query": "query { orders(first: 10) { edges { node { id } } } }"
}'

With the access_token given by oauth/callback by following

const permissionUrl = `https://${shopOrigin}/admin/oauth/authorize?client_id=${apiKey}&scope=${[
      "read_orders",
      "read_all_orders",
    ].join(",")}&redirect_uri=${redirectUri}`;

Still while trying to fetch anything it ask for username and password.

The following error comes:

  "errors": "[API] Invalid API key or access token (unrecognized login or wrong password)"

Everything was working fine, nothing changed.

2

You might need to request the “protected customer data access” in your app dashboard, under “API Access” section.

3

I have that too

Screenshot 2024-10-15 at 10.05.19 AM.png
Screenshot 2024-10-15 at 10.05.19 AM.png844×618 40.4 KB

4

Just a very basic check, but did you replace “your-development-store.myshopify.com” in your example curl command with your own store’s URL?