What's causing my Multipass API authentication issues on Shopify+?

Shopify Discussion

Topic summary

A developer is experiencing persistent 422 “Invalid Multipass request” errors when attempting to authenticate users via Shopify’s Multipass API from an external Next.js application. The issue occurs despite confirming correct credentials (MULTIPASS_SECRET and WEBSITE_URL) and properly formatted token URLs.

Troubleshooting attempts that failed:

  • Testing multiple NPM packages (multipassify, multipass-js)
  • Switching between .myshopify.com and primary TLD URLs
  • Using different redirect methods (window.location.href, fetch API)
  • Deploying to production subdomain to rule out CORS/localhost issues

Suggested solutions from community:

  • Add created_at field in ISO date format alongside email
  • Remove IP address from the request (known to cause issues)
  • Consider using the hydropass package specifically for Hydrogen storefronts

The original poster shared their serverless function code (via screenshot) and a test client application for debugging. Status: The issue remains unresolved with at least one other user reporting the same problem.

Summarized with AI on October 29. AI used: claude-sonnet-4-5-20250929.
1

I’m running into some major issues using the Multipass API to authenticate users on our Shopify+ storefront from an outside source. I’m using a simple Next.js API function as my endpoint to call Multipass using Shopify’s suggested Node.js package, multipassify. I also attempted to use a newer NPM package called multipass-js but no luck there either.

Basically, no matter how I construct my encrypted/encoded token URL I receive a 422 error from the Multipass endpoint with little context into the specifics of the issue. It simply says “Invalid Multipass request”, and I can tell the error from the server is a 422.

I’ve already confirmed that my MULTIPASS_SECRET and WEBSITE_URL are both matching, correct values, and the multipass URL passed back from the API appears to be properly constructed as well. Here’s an example URL for reference: [https://made-by-haven-staging.myshopify.com/account/login/multipass/VAv-e4CWHxBgIuDf1JUvNV74QYJoWMIPg-5BKtwijhguYwJYJorbia2rp59PUvQ5mefI26W5YSGseuKDTzuhDw-_-6ohFN69v7k7uZ18K4CU7kVdVtA6x38__RAY1Lb5TSbtPSXkw-w-ggBZ9QRpVNAYctFI9q6m_vdk0k1NGmxWumBLB9tBr-JUzk9QV_X2-2mJKPYC75Eepe2mBosfaw==](Please Log In) I’ve even attempted to set the base URL to our primary TLD instead of the .myshopify.com URL to see if that has any effect. No luck.

Also, I’ve tried using a simple window.location.href redirect to the new tokenized login URL as well as a GET call using the fetch api, but neither one seems to have any impact on the 422 error that Shopify returns. Similarly, I thought my issue could be CORS-related since I was working on localhost for my initial tests, but after deploying to a subdomain of our main site the issue continues to persist.

Here’s a look at the API function that I constructed to generated the tokenized URL:

multipass serverless function
multipass serverless function1142×546 52.1 KB

For extra context, you can check out my dumb client app to help test things out. Use colin.darland@gmail.com to be certain you’re posting an email with an active user account: https://staging-api.hineighbor.com/

Any feedback or suggestions would be freaking awesome. I’m stumped on this one.

2

I hope you figured it out, but you need created_at: ISODateFormat along with email. Get rid of the IP as well, it always caused issues for me.

3

Did you ever figure this out? I’m running into the same thing.

4

Try using “hydropass” npm package if you are using hydrogen storefront. It is working in my case.

https://www.npmjs.com/package/hydropass

5

Try using “hydropass” npm package if you are using hydrogen storefront. It is working in my case.

https://www.npmjs.com/package/hydropass