Custom backend Auth issue

Riju_R · November 13, 2025, 12:11am

Hi there,

We’re trying to set up custom backend authentication, but we keep encountering the following error when calling functions/v1/auth:

{“code”:401,“message”:“Invalid JWT”}

We generated a user token using generateUserToken and used that token to call the AUTH_API (following the steps in this guide: https://github.com/Shopify/shop-minis/blob/main/supabase/README.md
).

However, we consistently receive the “Invalid JWT” response. We also generated a JWT and stored it as a secret in Supabase.

Could you please help us understand where we might be going wrong? Any guidance would be greatly appreciated.

Thank you!

Quique-Shopify · November 13, 2025, 9:09am

can you post here the request you are sending in the userTokenVerify mutation?
Have you run the setup command?

Riju_R · November 13, 2025, 10:00am

Yes, we ran npx shop-minis setup and got the API key which is stored in src/.env as SHOP_MINIS_API_KEY. We set this as SHOP_MINIS_ACCESS_TOKEN in our Supabase secrets.
The request we’re sending:

Endpoint: https://shop.app/api/graphql
Method: POST

Headers:

Content-Type: application/json
X-Shopify-Access-Token: <key-from-src/.env>

Body:

json{
“query”: “mutation VerifyUserToken($token: String!) { userTokenVerify(token: $token) { publicId tokenExpiresAt userErrors { code field message } } }”,
“variables”: { “token”: “” }
}

Current status:
Token generation works correctly in iOS simulator (we see valid JWT tokens).
We have openid scope in our manifest.json.
We cannot test the userTokenVerify mutation because CSP is blocking network requests to our Supabase backend
Error: “Refused to connect to https://Supabase-project-ref.supabase.co/functions/v1/verify-shop-user because it does not appear in the connect-src directive of the Content Security Policy”

Quique-Shopify · November 13, 2025, 12:06pm

In the Shop Admin API docs, it’s stated that to authenticate the request, the token must be sent in the Authorization header. Check this example:

curl -X POST \
  https://server.shop.app/minis/admin-api/alpha/graphql.json \
  -H 'Content-Type: application/graphql' \
  -H 'Authorization: Bearer <shop-minis-admin-api-key>' \
  -d '{your_query}'

Regarding the CSP error, you need to add the domain to your trusted_domains in the manifest.

taher · November 13, 2025, 1:05pm

We are getting issues at the of submission we have already setup the npx shop-minis setup .

At the time of submit we got this issue

Could be please let us know steps to submit the app

steve-t-shopify · December 12, 2025, 8:35am

Are you still facing this issue?

Topic		Replies	Views
Shop Mini Token Shop Minis	9	170	November 21, 2025
Issue with useGenerateUserToken Shop Minis	3	76	November 28, 2025
Shopmini to Supabase connection issue Shop Minis	2	56	November 14, 2025
Timeout error when trying to generate token using useGenerateUserToken Shop Minis	3	99	November 18, 2025
INVALID_MINI error when verifying user token via Shop Mini Admin GraphQL API Shop Minis	2	50	December 17, 2025

Custom backend Auth issue

Related topics