Embedded app checks stuck pending after fixing root cause — App Bridge CDN + session tokens verified, requesting manual verification (App ID 394949197825)

Hi team,

Both automated “Embedded app checks” are stuck pending and are blocking submission.
Every other preliminary step is green.

Stuck checks:

  • Using the latest App Bridge script loaded from Shopify’s CDN
  • Using session tokens for user authentication

App details:

IMPORTANT CONTEXT — this app genuinely had no qualifying signal until 12 July, and now it does.

Until 12 July this app had never completed a single successful Admin API call.
Root cause: it is a public app created after 2026-04-01, so expiring offline access
tokens are required, but @shopify/shopify-app-remix defaults
future.expiringOfflineAccessTokens to false. Token exchange therefore minted
non-expiring tokens and every Admin API call was rejected with an empty 403.
My Dev Dashboard > Logs page showed ZERO requests from the dev store, and API health
showed “Deprecated offline token use detected”.

Fixed on 12 July:

  • future.expiringOfflineAccessTokens: true (alongside unstable_newEmbeddedAuthStrategy: true)
  • purged all non-expiring session rows from session storage
  • reinstalled on the dev store

Verified working since the fix:

  • App Bridge: https://cdn.shopify.com/shopifycloud/app-bridge.js loads with HTTP 200 as
    the first script in the server-rendered , with data-api-key. Confirmed in DevTools
    Network, Referer = the app URL.
  • Auth: token exchange only. The session record now stores expires and a refreshToken,
    and expires rotates on refresh (observed 1783858929 → 1783893653).
  • Admin API: Dev Dashboard > Logs now shows “GraphQL request / admin / OK” entries for
    cashtrail-demo-pk. Before the fix there were none at all. API health now reports no
    deprecated API calls.
  • The app is opened only from Admin > Apps > Cash Trail, never a direct or tunnel URL.
  • The deployed Client ID matches the Partner Dashboard exactly.
  • I have interacted repeatedly since the fix: file upload, POST actions, settings save,
    billing/plan flow, multiple page navigations — all issuing authenticated Admin API requests.

Where I am stuck:
It has now been 24+ hours and roughly a dozen 2-hour check cycles since the fix, with
confirmed OK Admin API traffic under this App ID in your own logs, and both checks are
still pending.

My question: is the checker possibly still evaluating pre-12-July data, or holding a
cached “no signal” state from the period when this app legitimately had zero successful
API calls? If so, can the check be re-run, or manually verified?

Happy to provide a HAR export or a short screen recording of the embedded load showing
the app-bridge.js CDN fetch and the Authorization: Bearer <session_token> request.

One more data point: I am on Railway, and I have seen at least one other stuck report
from a Railway-hosted app with the same *-production.up.railway.app URL pattern. It may
be worth checking whether that edge is a common factor.

Thanks.

Hey @mohsin_chaudhary, thanks for reaching out. Could you check DevTools while using the embedded app and confirm whether the App Bridge telemetry POSTs to monorail-edge.shopifysvc.com are succeeding?

We’ve seen browser privacy tooling block these requests even when the app itself works correctly (VPNs, etc). If they’re blocked or failing, try again in a clean/incognito browser profile with extensions disabled.

If both of those workarounds don’t seem to fix things just let me know and I can look into this more deeply for sure.