php curl orders.json [API] Invalid API key or access token (unrecognized login or wrong password)

Hi folks

the url works on chrome browser, but the postman and php curl always show

“errors”: “[API] Invalid API key or access token (unrecognized login or wrong password)”

those are my simply php code

public function stest4(){

$API_KEY = 'myapikey';
$PASSWORD = 'myapipassword';
$STORE_URL = 'mystore.myshopify.com';
$AUTHORIZATION = base64_encode($API_KEY . ':' . $PASSWORD);
 

$url = 'https://' . $API_KEY . ':' . $PASSWORD . '@' . $STORE_URL . '/admin/api/2022-01/orders.json?status=any';

$shops_token = $PASSWORD;
 

$curl = curl_init($url);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "GET");
curl_setopt($curl, CURLOPT_HEADER, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_MAXREDIRS, 3);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($curl, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 60);
curl_setopt($curl, CURLOPT_TIMEOUT, 60);
 

curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-type: application/json','Accept: application/json'));

$response = curl_exec($curl);
curl_close($curl);

print_r($response);
 

}

I am using simpler cURL options, but am getting the same thing. And yet, the url being used WORKS in a browser! I have used this same code for many Private Apps, it is only now failing because I am forced to do a Custom App because Private Apps have been deprecated. What’s the difference ‘code wise’ in talking to a private app vs a custom app???

Could it be that custom apps don’t require a password & api key to authenticate - but just the API Access Token that you get with a custom app?