Surge in 430 status code inspite of using Buy Identity header

Retired Boards Appdev Authentication

Topic summary

Surge in 430 (Shopify Security Rejection) responses on Admin REST and Storefront GraphQL APIs, especially for server-side rendered (SSR) headless storefronts and s2s apps, despite using the Shopify-Storefront-Buyer-IP header.

Recent context: After Shopify’s Aug 2023 change touting “no rate limits” on Storefront API, partners report stricter bot protection and more frequent 430s. Several note 430s arrive without a Retry-After header and can occur even at low traffic.

Observed behavior: 430s appear tied to IP-based or broader network heuristics (Cloudflare suspected), not per-credential limits. Some report random first-try failures (e.g., createDraftOrder). This conflicts with Shopify docs stating per-store/API-key rate limits.

Tried mitigations:

  • General: request optimization, caching, queuing/throttling (limited help for mutations like carts/checkout).
  • Admin SDK issue workaround: fetch smaller subsets of orders.
  • Networking: moving away from shared IPs; using static/dedicated egress via VPC connectors. Some saw 430s vanish after recreating a VPC connector; others still see 430s even with a static IP, hinting at route-based factors.

Status: No official fix. Support responses mixed; guidance focuses on reducing calls. Open questions: reliability of Buyer-IP header, presence of Retry-After for 430, and whether enforcement is IP vs credential-based.

Summarized with AI on January 2. AI used: gpt-5.
8

There is no Retry-After Header when the response is 430 and the system (Cloudflare worker?) that throws 430 is not honoring the Shopify’s own documented allowed limit. In fact it can randomly throw a 430 when the client had not sent any traffic in a while at all.

This implies that the system that is throwing the 430 is doing so not on a per-api-key basis but based on some global heuristic.

The problem is that lately there is so much 430 throttling that it makes Shopify close to useless as a SaaS, even with all of the caching and proper error handling implemented.

(For example, the fact that createDraftOrder fails with 430 on first try it a major customer-facing problem, there’s nothing to cache at this point).

Shopify, please fix this. I am happy to work with you if you need diagnostics.

1 Like