Using access token for a store to call shopify python sdk

Retired Boards Appdev Tools

Topic summary

Main issue: A sales channel embedded app passes the App Bridge “session token” (JWT) accessToken to the Shopify Python SDK and gets “Invalid API key or access token.”

Root cause: The App Bridge session token only authenticates the frontend-to-backend request (identifies shop and user). It is not an API access token and can’t be used to call Shopify APIs.

Correct approach:

  • Perform OAuth during app installation to obtain an API access token (online and/or offline).
  • Store the API access token in a database keyed by shop (and user if using online access).
  • On each request from the frontend, verify the session token (JWT), extract shop/user_id, look up the stored API access token, and use that to call Shopify APIs via the SDK.

Additional notes: This flow applies to sales channel apps as well. Shopify docs explicitly state session tokens can’t authenticate API requests. Implementation details include handling iframes, detecting installation state, and managing user logout.

Status: Conceptual resolution reached; action required is to implement the OAuth flow and token storage/lookup. No indication of a remaining API issue once using proper access tokens.

Summarized with AI on February 16. AI used: gpt-5.
4

Does your app perform oauth during installation?

When you first perform oauth you can use the grant code to get an access token. You have to save that access token in a database so you can look it up later to authenticate your requests to shopify from your server.

I’m making an embedded admin app so I’m not sure if it differs but I think app bridge works the same way for a sales channel app. The session token (a JWT token) just confirms that the client is who it says it is, you can get the shop and logged in user id.

There is some explanation here:https://shopify.dev/apps/auth/oauth/session-tokens#oauth-and-session-tokens

Specifically :

Unlike API access tokens, session tokens can’t be used to make authenticated requests to Shopify APIs.