Public API curl requests & Authentication/Tokens

Shopify Apps

Topic summary

A developer from PriceZag reports authentication failures for new Shopify customers using their legacy API integration method, which has worked successfully for 8 years with existing customers. The issue involves curl requests using the format https://key:password@storename.myshopify.com/admin/api/YYYY-MM/products.json, which now returns “Invalid API key or access token” errors for new users.

Root Cause:
Shopify deprecated the REST API (as of October 2024) and the simple API key/password authentication method. New integrations must use OAuth 2.0 and GraphQL.

Solution Process:

  1. Register app in Shopify Partners dashboard to obtain Client ID and Client Secret
  2. Direct users to authorization URL where they grant permissions
  3. Handle redirect with temporary authorization code
  4. Exchange code for permanent access token (shpat_* format) via POST request
  5. Use access token in future API requests

Key Takeaway:
The OAuth flow allows Shopify and store owners to control, modify, or revoke third-party API access with granular permissions (“scopes”). The developer successfully tested the new authentication flow and provided a detailed, code-friendly explanation for others facing similar migration challenges. Legacy tokens starting with different prefixes continue working for existing customers.

Summarized with AI on November 5. AI used: claude-sonnet-4-5-20250929.
1

Hi,

I’m Nicholas, lead developer at PriceZag, a platform that monitors stores competitors.

For the last 8 years we provided our customers with a direct integration to Shopify so they can import their products to our platform directly from Shopify, and also update the price in their store based on the competitors and their repricing rules.

Everything worked fine for all these years, and still does for old customers, but it seems Shopify changed something recently that makes the authentication fail for new customers, or at least for some of them.

We use curl to make requests to Shopify. We wrote our own code for handling requests so we cannot use any Shopify library (which isn’t available anyway in the programming language we use).

The requests we make use the following URL format: https://key:password@storename.myshopify.com/admin/api/YYYY-MM/products.json

It has always worked very well, we ask our customers their storename, API key and password which they generate in their Shopify account for us, and curl simply uses the standard authentication method with these tokens.

But recently we get this error with new customers (while old customers have no problems) :

{“errors”:“[API] Invalid API key or access token (unrecognized login or wrong password)”}

I’ve seen this whole thing about the OAuth method which seems unnecessary complicated. Despite having decades of experience in both back-end development and cryptography I still can’t wrap my head around it. The docs available on Shopify’s website are very confusing and don’t get to the core of what the actual HTTP request should have or how we generate that with real code.

So can someone please help me with this?

If we stick to old school HTTP+SSL and nothing else (no library to depend on), what raw data should we send, and what should we ask our new customers?

Is that OAuth complicated method mandatory now? Did Shopify change this in the last few weeks?

Thanks!

2

Hi @PriceZag

You might have to update your api since October version already came out. If you are using rest API, it is already deprecated

3

Thanks but even when using “2021-04” which a lot of our old customers still use successfully it doesn’t seem to work for new customers.

I tried every version possible, but none seem to work with the standard HTTP “Authorization” header (which is what curl does when using the [email removed] format).

That’s what I’m trying to understand. And the docs are extremely vague and complex about all this.

4

Are you using REST api? You need to swap to graphiql. See documentation here

5

Why so complicated? …
Could you please explain me why it still works for our customers who use a token starting with “shpat” ?

How can our new customers also get a “shpat” token? What makes this “shpat” token different?

6

You can try the following

App Registration: Register your app in the Shopify Partners dashboard to obtain a client ID and secret.

Authorization Request: Direct users to the authorization URL to grant your app access:

GET

https://{storename}.myshopify.com/admin/oauth/authorize?client_id={your_client_id}&scope={scopes}&redirect_uri={redirect_uri}​

Handle Redirect: After the user authorizes your app, Shopify will redirect to your specified redirect URI with a temporary code.
Exchange Code for Token: Use this code to request an access token:

POST https://{storename}.myshopify.com/admin/oauth/access_token
Content-Type: application/json

{
"client_id": "{your_client_id}",
"client_secret": "{your_client_secret}",
"code": "{the_code_received}"
}

Use Access Token: You will receive an access token in the response, which you’ll use for your GraphQL requests.

POST https://{storename}.myshopify.com/admin/api/YYYY-MM/graphql.json
Headers:
"X-Shopify-Access-Token": "{access_token}"
"Content-Type": "application/json"

Body:
{
"query": "{
products(first: 10) {
edges {
node {
id
title
variants(first: 5) {
edges {
node {
id
price
}
}
}
}
}
}
}"
}
1 Like
7

Thank you so much JiniApps!

This is finally clear, as you used some coder-friendly language (while Shopify docs seem to be written by bureaucrats rather then coders).

I have created a test store and successfully made all requests manually which ended up returning a final shpua_* token that we can then use for future requests.

For anyone visiting this page with the same issue and confused by Shopify docs I will summarize below what to do (in coder-friendly language) :

First, to answer my question “Why so complicated?”, the obvious reason is that Shopify wants to be able to control and revoke API access to any third party (like us), either themselves or to let the store owner do that. They can also modify the permissions granted rather than revoking the whole thing.

So from the user perspective (the person having a Shopify store) the process goes like this:

  1. User clicks some “Connect my Shopify store” link on the third party’s website (like us PriceZag)
  2. That links goes to their own store where they are prompted to grant permissions to that app called “PriceZag”
  3. They click an “Install” button and are redirected back to that third party’s website
  4. That URL to which they are redirected thanks them for linking Shopify, but also gets from Shopify some URI parameters it will use for back-end requests.

So what coders must do for all that to happen:

1. The third party app (like us PriceZag) must create an account at partners.shopify.com where they define the name of the app and so on.

2. In that platform they get a “Client ID” and “Client Secret”, each is a 32-long hex string (128 bits)

3. They also must define “Redirection URL(s)” which is not what sets the URL but what ALLOWS specific URL(s) to be used to redirect the user back to the website in the process I described above.

4. As JiniApps mentioned, the URL to which to send the Shopify user when then click some “Connect my Shopify store” button is:

https://{storename}.myshopify.com/admin/oauth/authorize?client_id={your_client_id}&scope={scopes}&redirect_uri={redirect_uri}​

This is NOT a request to make in the background, it is the URL the user must click on the front-end.

The “redirect_uri” is where the user goes back on our website after clicking “Install”, so in our case it is:

&redirect_uri=https%3A%2F%2Fpricezag.com%2Fshopify-redirect

To this URL will be added some URI parameters which we must save.

What Shopify calls “scope” (vague bureaucrats language) in fact means “permissions”. It our case it will be:

&scope=read_products%2Cwrite_products%2Cread_price_rules

There is also a &state= parameter to put, which is just an arbitrary random string which you get back when the user is redirect back to the website.

All this is explained here: https://shopify.dev/docs/apps/build/authentication-authorization/access-tokens/authorization-code-grant#step-2-request-authorization-code

and the permissions (“scopes”) are here: https://shopify.dev/docs/api/usage/access-scopes#authenticated-access-scopes

5. After clicking “Install that App” the user is redirected by Shopify to that “redirect_uri” which now contains various URI parameters:

&code= : a temporary 128-bit in hex format to save, they call it {authorization_code} in their docs. This is NOT how we make all future requests to the store, there’s still one more step…

Besides “code” there are a few more useful URI parameters which you can see at step 2 in the link above, they are: hmac, host, shop, state, and timestamp.

6. Finally, as JiniApps mentioned, you make a back-end POST request using that “code” you got in the URL parameters when the user was redirected. With curl it would look like this:

curl -H 'Content-Type: application/json' -d '{"client_id":"my_app_id","client_secret":"my_app_secret","code":"that_code_from_redirect"}' 'https://THEUSERSTORENAME.myshopify.com/admin/oauth/access_token'

And you get this as a response:

{"access_token":"shpua_xxxxxxxxxxxx","scope":"write_products,read_price_rules"}

They call this “token exchange” (exchanging the “code” URI parameter for receiving a “shpua” token) and it’s documented here: https://shopify.dev/docs/apps/build/authentication-authorization/access-tokens/token-exchange

7. You made it! Now you can use that shpua token for all future requests to that store by putting it as a “X-Shopify-Access-Token” HTTP header, for example:

curl -H 'X-Shopify-Access-Token: shpua_xxxxxxxxxxx' 'https://THEUSERSTORENAME.myshopify.com/admin/api/2024-01/products.json?limit=3' | python -mjson.tool