Why am I getting 'access denied' when querying for activeSubscriptions in node app template?

Technical Q&A

Topic summary

Access denied occurs when querying activeSubscriptions under currentAppInstallation in a Shopify Node app (ensure-billing.js, API 2022-07), despite having scopes like read_orders and write_own_subscription_contracts. The GraphQL error targets currentAppInstallation.activeSubscriptions, with a small query cost, indicating a permission issue rather than throttling.

Cause identified: using online tokens (user-scoped) requires the logged-in user to be the store owner to view activeSubscriptions. Non-owner users trigger “access denied,” a nuance not clearly documented.

Resolution: switching to offline tokens (shop-scoped, not tied to a user session) restored access to activeSubscriptions without changing scopes. Alternatively, for online tokens, test as the store owner.

Key concepts: activeSubscriptions shows app billing status; currentAppInstallation is the app’s installation object in the Admin GraphQL API; online tokens are user-based, offline tokens are shop-based and persistent.

Outcome: issue resolved; no remaining open questions. The provided query and error snippet are central to understanding the problem and fix.

Summarized with AI on February 9. AI used: gpt-5.
1

Hi all,

I’m building an app using the node app template cli-three. Inside of ensure-billing.js there is a query for activeSubscriptions within the currentAppInstallation but I receive “access denied” in the response from Shopify. Here’s the culprit query:

query appSubscription {
 currentAppInstallation {
  activeSubscriptions {
   name, test
  }
 }
}

I’m using api version 2022-07 and I have been approved for subscription access within the partner dashboard. My access scopes are: read_customers,read_locales,read_orders,read_products,write_customer_payment_methods,write_own_subscription_contracts

Here is the response:

{
 data: null,
 errors: [
  {
   message: 'access denied',
   locations: [ { line: 4, column: 7 } ],
   path: [ 'currentAppInstallation', 'activeSubscriptions' ]
  }
 ],
 extensions: {
  cost: {
   requestedQueryCost: 2,
   actualQueryCost: 2,
   throttleStatus: {
    maximumAvailable: 1000,
    currentlyAvailable: 992,
    restoreRate: 50
   }
  }
 }
}

Is there something I’m missing?

Thanks in advance!

2

After some research, this post helped me solve the issue.

Apparently you need to be the “store owner” to have access to activeSubscriptions (unfortunately the docs don’t give any clues about this resulting in wasted time). This is only the case if you are using “online” tokens which give permissions based on the user who is logged in and using the app. User based permissions were not required for my project, so changing to “offline” tokens solved the issue.

1 Like