Shopify GraphiQL API works for admin but not in storefront

Hello!

i have been posting this issue over two week but no one can anser the questions.

i have an app it is public not private !

I use some variables for Admin side it works perfect!

url : /admin/api/2020-07/graphql.json

if (!is_null($token)) $request_headers = "X-Shopify-Access-Token: " . $token;
$request_headers = “Accept: application/json”;
$request_headers = “Content-Type: application/json”;
$request_headers = "Host: ".$shop;
$request_headers = “cache-control: no-cache”;

—>OK

$token variable is access key for shopify user who installs the app and i get the key durring installation.

I know it is different options for public app to use graphql api so i use same token for strofront!

url : /api/2020-07/graphql.json

if (!is_null($token)) $request_headers = "X-Shopify-Storefront-Access-Token: " . $token;
$request_headers = “Accept: application/json”;
$request_headers = “Content-Type: application/json”;
$request_headers = "Host: ".$shop;
$request_headers = “cache-control: no-cache”;

----> NOT OK!

response return empty and response code is 403

i did not understand what shopfy means in the documantation about “X-Shopify-Storefront-Access-Token”

i do not see any spesific key for this method. by the way my app is not in sale channel.

one test store installed the app and i am using access key for that store in $token; variaable.

if you ask where do i generate $token; variable, here is the answer:

$api_key = “ad610a996a4aa4f3546890eexxxxxxxx”;
$shared_secret =“shpss_511156b13933c45808857dedxxxxxxxx”;
$params = $_GET; // Retrieve all request parameters
if(isset( $_GET[‘hmac’]))
$hmac = $_GET[‘hmac’]; // Retrieve HMAC request parameter

if(isset($_GET[“shop”]));
$shop=$_GET[“shop”];
$params = array_diff_key($params, array(‘hmac’ => ‘’)); // Remove hmac from params
ksort($params); // Sort params lexographically

if(isset($params[“url”]))
unset($params[“url”]);
$computed_hmac = hash_hmac(‘sha256’, http_build_query($params), $shared_secret);

// Use hmac data to check that the response is from Shopify or not
if (hash_equals($hmac, $computed_hmac)) {

// Set variables for our request
$query = array(
“client_id” => $api_key, // Your API key
“client_secret” => $shared_secret, // Your app credentials (secret key)
“code” => $params[‘code’] // Grab the access key from the URL
);

// Generate access token URL
$access_token_url = “https://” . $params[‘shop’] . “/admin/oauth/access_token”;

// Configure curl client and execute request
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $access_token_url);
curl_setopt($ch, CURLOPT_POST, count($query));
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($query));
$result = curl_exec($ch);
curl_close($ch);

// Store the access token
$result = json_decode($result, true);
$access_token = $result[‘access_token’];

//$access_token is equals $token variable.

however, i cannot access data with graphql api for storefront api

please help me to solve this problem..

Thank you!

{
“headers”:{
“status”:“HTTP/1.1 403 Forbidden\r”,
“Date”:“Sun, 23 Aug 2020 15”,
“Content-Type”:“text/html”,
“Transfer-Encoding”:“chunked”,
“Connection”:“keep-alive”,
“Set-Cookie”:“__cfduid=dee7e7fedaf75df668529f0e99dc68a061598197281; expires=Tue, 22-Sep-20 15”,
“X-Sorting-Hat-PodId”:“148”,
“X-Sorting-Hat-ShopId”:“45358055573”,
“Vary”:“Accept-Encoding”,
“Access-Control-Allow-Origin”:“*”,
“X-Frame-Options”:“DENY”,
“X-ShopId”:“45358055573”,
“X-ShardId”:“148”,
“Content-Language”:“tr”,
“Strict-Transport-Security”:“max-age=7889238”,
“X-Request-Id”:“d2881d60-818e-49a1-a648-31f9ebd9fdd7”,
“X-Shopify-Stage”:“production”,
“Content-Security-Policy”:“frame-ancestors ‘none’; report-uri /csp-report?source%5Baction%5D=query&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=api%2Fgraphql&source%5Bsection%5D=api&source%5Buuid%5D=d2881d60-818e-49a1-a648-31f9ebd9fdd7”,
“X-Content-Type-Options”:“nosniff”,
“X-Download-Options”:“noopen”,
“X-Permitted-Cross-Domain-Policies”:“none”,
“X-XSS-Protection”:“1; mode=block; report=/xss-report?source%5Baction%5D=query&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=api%2Fgraphql&source%5Bsection%5D=api&source%5Buuid%5D=d2881d60-818e-49a1-a648-31f9ebd9fdd7”,
“X-Dc”:“gcp-us-east1,gcp-us-east1”,
“CF-Cache-Status”:“DYNAMIC”,
“cf-request-id”:“04bd944a8500000f72df2e0200000001”,
“Expect-CT”:“max-age=604800, report-uri="https”,
“Server”:“cloudflare”,
“CF-RAY”:“5c75eff0db4b0f72-MXP”,
“alt-svc”:“h3-27="”
},
“response”:“”
}

Hey @Aljazari

You might want to check out this documentation on getting the storefront access token: https://shopify.dev/docs/storefront-api/getting-started, specifically the part for public apps.