PaymentSessionResolve Shopify CURL access denied

Shopify Apps

Topic summary

A developer is encountering an “access denied” error when attempting to call the Shopify PaymentSessionResolve GraphQL mutation using PHP cURL. The same request works successfully in Postman, suggesting the issue is specific to the cURL implementation rather than authentication credentials.

Key details:

  • The mutation targets the Payment Apps API endpoint
  • Headers include Content-Type: application/json and X-Shopify-Access-Token
  • The PHP code appears partially corrupted or obfuscated in the provided snippet, making full diagnosis difficult

Current status:

  • The issue remains unresolved with no responses yet
  • The developer needs help identifying why cURL requests are being blocked while Postman requests succeed with identical credentials
Summarized with AI on November 22. AI used: claude-sonnet-4-5-20250929.
1

Hello.

When I try to call the mutation PaymentSessionResolve on php curl its return a HTML wich says: “You don’t have permission to access this website”.

Using postman it work perfectly.

Here is my php code:

$headers = [
‘Content-Type’ => ‘application/json’,
‘X-Shopify-Access-Token’ => ‘mytoken’
];

$graphqlQuery = [
“query” => ‘mutation PaymentSessionResolve($id: ID!, $authorizationExpiresAt: DateTime) {
paymentSessionResolve(id: $id, authorizationExpiresAt: $authorizationExpiresAt) {
paymentSession {
id
state {
… on PaymentSessionStateResolved {
code
}
}
nextAction {
action
context {
… on PaymentSessionActionsRedirect {
redirectUrl
}
}
}
}
userErrors {
field
message
}
}
}’,
‘variables’ => [
‘id’ => $gid
]
];

$query = json_encode($graphqlQuery);

$log->write(“graphql” . print_r($graphqlQuery, true), 8);

$curl = curl_init();

curl_setopt_array($curl, [
CURLOPT_URL => “https://mystore.myshopify.com/payments_apps/api/2023-01/graphql.json”,
CURLOPT_CUSTOMREQUEST => “POST”,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => $headers,
CURLOPT_POSTFIELDS => $query,
]);

$response = curl_exec($curl);
curl_close($curl);