I have created a separate backend in a NodeJS application to query products, and below is my query. The token the endpoint is receiving is from the post-purchase extension built in an extension-only-app
app.get('/api/offer', async (_req: Request, res: Response) => {
const sessionToken = _req.headers['authorization']?.split(' ')[1];
if (!sessionToken) return res.status(401).json({ error: 'No Session Token Received' });
try {
const decoded = JWT.verify(sessionToken, process.env.SHOPIFY_API_SECRET as string) as {
input_data?: {
shop?: {
domain?: string;
};
};
};
const response = await fetch(`https://${decoded?.input_data?.shop?.domain}/admin/api/2025-07/graphql.json`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-Shopify-Access-Token': sessionToken
},
body: JSON.stringify({
query: `query getProductsByIDs($ids: [ID!]!) {
nodes(ids: $ids) {
... on ProductVariant {
availableForSale
id
image {
url(transform: {maxWidth: 400})
}
price {
amount
currencyCode
}
compareAtPrice {
amount
currencyCode
}
product {
title
id
}
}
}
}`,
variables: {
ids: ['gid://shopify/ProductVariant/55922219450742', 'gid://shopify/ProductVariant/55922219516278']
}
}),
});
const data = await response.json() as { data: any, errors: any };
if (data.errors) return res.status(400).json({ error: data.errors });
res.json({ data });
} catch (error: any) {
return res.status(401).json({ error: error.message });
}
});
Now when I am querying the result I am receiving the below error
{
"error": "[API] Invalid API key or access token (unrecognized login or wrong password)"
}
and when I am querying with (without admin included) fetch(`https://${decoded?.input_data?.shop?.domain}/api/2025-07/graphql.json`)
I am receiving the below error which is also mentioned here
{
"error": [
{
"message": "Online Store channel is locked.",
"extensions": {
"code": "BAD_REQUEST"
}
}
]
}
Insight on this would be highly appreciated and how can I overcome this