Admin GraphQL API: Intermittent ACCESS_DENIED on markets field for one store, while identical app and query work on another store

GraphQL Admin API Troubleshooting
1

We are experiencing inconsistent behaviour with the Shopify Admin GraphQL API
Use case 1 :
When we query direct from postman, its returns proper response.
Use case 2 :
When we query through app bridge, its getting response with error “Access denied for markets field.”
Use case 3 :
When we query direct from postman, its returns proper response on another store.
Use case 4 :
When we query through app bridge, its getting proper response on another store.

Below is query returns error:

query {
  products(first: 10, query: "id:8611672031512") {
    edges {
      node {
        id
        title
        variants(first: 200) {
          nodes {
            id
            title
            price
            sku
            metafield(namespace: "$app", key: "priceRule") {
              value
            }
          }
          pageInfo {
            hasNextPage
            endCursor
          }
        }
      }
    }
  }
  shop {
	name
	currencyCode
	currencyFormats {
		moneyInEmailsFormat
		moneyWithCurrencyInEmailsFormat
	}
  }
  markets(first: 50) {
    edges {
      node {
        id
        name
        handle
        enabled
        primary
        currencySettings {
          baseCurrency {
            currencyCode
          }
        }
      }
    }
  }
  currentAppInstallation{
		id
		 metafield(namespace: "app_settings", key: "registractionForm") {
			value
		}
	}
}

Error

{
  "message": "Access denied for markets field.",
  "locations": [
    {
      "line": 33,
      "column": 3
    }
  ],
  "path": ["markets"],
  "extensions": {
    "code": "ACCESS_DENIED",
    "documentation": "https://shopify.dev/api/usage/access-scopes"
  }
}

image
image1287×106 22.8 KB

Environment
• Embedded Shopify App
• Shopify App Bridge
• Admin GraphQL API
• Same application codebase
• Same app installation
• Same API scopes
• Same query logic

What We Have Verified
A. Apps granted scope
The following query executes successfully on both stores:

{
	appInstallation {
	accessScopes {
		handle
		}
	}
}

Working store response:

{
    "data": {
        "appInstallation": {
            "accessScopes": [
                {
                    "handle": "read_cart_transforms"
                },
                {
                    "handle": "read_customers"
                },
                {
                    "handle": "read_discounts"
                },
                {
                    "handle": "read_draft_orders"
                },
                {
                    "handle": "read_markets"
                },                
                {
                    "handle": "read_checkouts"
                }
            ]
        }
    }
}

Non-working store response:

{
    "data": {
        "appInstallation": {
            "accessScopes": [
                {
                    "handle": "read_cart_transforms"
                },
                {
                    "handle": "read_customers"
                },
                {
                    "handle": "read_discounts"
                },
                {
                    "handle": "read_draft_orders"
                },
                {
                    "handle": "read_markets"
                },                
                {
                    "handle": "read_checkouts"
                }
            ]
        }
    }      
}

B. Markets API Access
The following query executes successfully on both stores:

{
  markets(first: 10) {
    nodes {
      id
      name
    }
  }
}

Working store response:

{
  "data": {
    "markets": {
      "nodes": [
        {
          "id": "...",
          "name": "Canada"
        }
      ]
    }
  }
}

Non-working store response:

{
  "data": {
    "markets": {
      "nodes": [
        {
          "id": "...",
          "name": "Canada"
        }
      ]
    }
  }
}

This confirms that:
• The app can access the markets resource.
• Authentication is working.
• The read_markets scope appears to be granted.

Regions Query
The following query also succeeds:

{
  markets(first: 10) {
    nodes {
      id
      name
      regions(first: 10) {
        nodes {
          name
        }
      }
    }
  }
}

Web Presence Query
The following query succeeds but returns null values:

{
  markets(first: 10) {
    nodes {
      name
      webPresence
    }
  }
}
Response:
{
  "data": {
    "markets": {
      "nodes": [
        {
          "name": "Canada",
          "webPresence": null
        }
      ]
    }
  }
}

No access error is returned.

App Scopes / Authentication
We have verified:
• App installation is valid.
• App authentication is working.
• Other Admin GraphQL queries succeed.
• The issue is reproducible only on a specific store.
• The same application works correctly on another store.

Browser / App Bridge
We have ruled out:
• Browser cache
• Embedded App configuration
• App Bridge initialisation
• Session token issues
• Storefront/Admin authentication issues
The same store can successfully execute basic markets queries.

Observations
The error appears only within one of our production queries and Shopify reports:

{
  "path": ["markets"],
  "code": "ACCESS_DENIED"
}

even though basic markets queries succeed on the same store.
This suggests one of the following:
1. A nested field under markets requires additional permissions.
2. The store has a Markets-specific restriction or feature flag.
3. Shopify is returning ACCESS_DENIED at the parent markets field even though the actual denial occurs on a nested Markets sub-resource.

Request
Could Shopify Support please help determine:
1. Which specific field under markets is triggering the ACCESS_DENIED response?
2. Whether there are any store-level restrictions, feature flags, or permissions affecting Markets API access for this store?
3. Whether Shopify logs show a more detailed authorization failure than the GraphQL response currently provides?

2

Perhaps unrelated, but yesterday, when trying to access markets in a dev store via the admin UI, it would load the list of markets as expected, but when clicking on an individual market, it would return a 500 error and then immediately redirect me to a page saying, “This feature isn’t currently available on your store”.

This is a recent issue, as I have used markets on this store before and my permissions have not changed.

3

Hey @Shrutika_Lokhande - thanks for reaching out.

The main thing I’d check here is the token/user permission difference between Postman and App Bridge. The appInstallation.accessScopes check confirms the app has read_markets, but if your embedded App Bridge direct API calls are using direct_api_mode = "online", those calls also respect the currently logged-in staff user’s permissions on that specific store. That could explain why Postman works while the embedded app fails on only one store.

A couple next checks I’d suggest:

  1. Test the embedded app while logged in as the shop owner, or a staff user with full Markets permissions.
  2. Confirm whether your app config has direct_api_mode = "online" or "offline".
  3. Bisect the markets selection set in the embedded flow, especially these fields: handle, enabled, primary, and currencySettings.

Also, enabled and primary are deprecated on Market, so I’d swap enabled for status where possible:

query {
  markets(first: 10) {
    nodes {
      id
      name
      handle
      status
      currencySettings {
        baseCurrency {
          currencyCode
        }
      }
    }
  }
}

If this still fails for the shop owner/full-permission user, could you share the API version being used and an x-request-id from the failing App Bridge response? That would be the most useful next piece for checking what’s happening on our end.

@Alex_Moser - I can’t say whether that’s the same underlying issue, but the Markets Admin UI 500 followed by “This feature isn’t currently available on your store” is definitely worth checking separately.

Could you share a bit more detail on that dev store?

  • Was the dev store created with any feature preview enabled?
  • What plan type was selected for the dev store?
  • Are you the store owner, or accessing it as a staff member?
  • If you can reproduce it, could you grab the request ID from the failed Admin request in the browser network tab?

For both cases, an x-request-id, API version, and the exact timestamp of a failed request would be the most useful next pieces for checking what’s happening on our end.

Let me know if I can clarify anything here - thanks!

4

@Alan_G Seems to be working properly now, though all products were set to draft for some reason (weird). It’s a Plus sandbox dev store, I have full permissions but am not the owner. I don’t see any associated feature previews, and it was created over 3 years ago.

Either way, everything seems to be functional again.

5

Hey @Alex_Moser - thanks for letting us know and glad to hear it’s working now. If you do see the error pop up again, just let me know and I can take a look into it for sure.