App Bridge v4 CDN — automatic fetch authorization sends expired/undefined tokens, X-Shopify-Retry-Invalid-Session-Request doesn't recover

App Bridge
1

I’m building an embedded app using the App Bridge v4 CDN script (app-bridge.js) with a custom backend (Cloudflare Workers + Hono). I’m NOT using the Remix/React Router template.

Setup:

  • <meta name="shopify-api-key" content="..." /> in <head>

  • <script src="https://cdn.shopify.com/shopifycloud/app-bridge.js"></script> in <head>

  • Backend verifies session token JWT via HMAC-SHA256 (standard approach per docs)

  • 401 responses include X-Shopify-Retry-Invalid-Session-Request: 1 header

Issue: I see intermittent 401 Unauthorized errors, especially after:

  1. Navigating between pages in the app

  2. Switching away from the browser and returning after >60 seconds

Looking at the server logs, the Authorization header either contains an expired token or is missing entirely. I see two consecutive 401s for the same endpoint - indicating App Bridge attempted the retry (per the X-Shopify-Retry-Invalid-Session-Request header) but the retry also failed with an expired/missing token.

Workaround: I now manually call shopify.idToken() before each fetch request and set the Authorization header ourselves. This resolves the issue completely - every request gets a fresh token.

if (window.shopify) {
  const token = await window.shopify.idToken();
  headers["Authorization"] = `Bearer ${token}`;
}

Questions:

  1. Is the auto-injection mechanism expected to always provide fresh tokens, or does it cache them?

  2. Is manually calling idToken() the recommended approach for non-Remix apps, or should auto-injection be sufficient?

  3. The thread at Requests constantly missing JWT describes the same root cause (no validation in the token-setting code). Has this been addressed?

Environment: Shopify API version 2026-01, App Bridge CDN (latest)

2

Hey @Luke, we had the issue of expired and undefined tokens for over a year, immediately after migrating to the CDN AppBridge. In that time, we could never trigger the problem ourselves, so we didn’t know what was the cause.

At some point, we tried the same approach as you did (appending the token manually), but the problem continued exactly as before, so we removed the workaround.

Later on, I looked at the AppBridge code that handles appending the token and found that it had no error handling mechanism. I don’t know if it does now.

Ultimately, Alan from Shopify kindly assisted with taking our case to the AppBridge team, and they must have done something because the number of problems suddenly decreased significantly, around November of 2025.

I have no idea how things stand now.

I think much of the pain around authentication started when Safari unilaterally and hastily went to war against third-party cookies, without suggesting a proper replacement. Several years passed, and I believe Chrome introduced the idea of partitioned cookies.

It fixes the problem that Safari wanted to solve in a very simple way. It’s just cookies as usual, but scoped to the iframe within a top-level context (think the Shopify admin). All current browsers support it, including Safari 26.2 (released Dec 2025).

It would probably be perfect for authenticating embedded apps now, without the need to monkey-patch fetch. Also, non-Ajax requests would work again.

Whenever I see reports of problems regarding tokens, I wonder if it’s feasible to continue on that road. CDN AppBridge probably came out 2 years ago, and some token problems don’t seem to go away. I wish Shopify would consider cookies again in the future, but Safari left such a bad impression that maybe that ship has sailed.