Hey, I am trying to make an http api call to the shopify admin graphql api in postman with the offline access token for a store as the X-Shopify-Access-Token header but I keep getting this error { "errors": "[API] Invalid API key or access token (unrecognized login or wrong password)" }.
The access token I’m using is the offline access token I get using oauth flow when the app is installed on the store. When I run the same query on the graphiql server, it works properly but on postman I’m getting this error. What am I missing?
First, please be very careful when sharing request data.
You just exposed these keys publicly. I know this is most likely a development store based on the merchant’s *.myshopify.com domain, but sharing these request details publicly exposes all of the data that this Shopify store has granted you access to.
I’ve gone ahead and edited out the sensitive request headers, but please keep this in mind, especially since orders contain customer PII information, which you need to safeguard as a developer.
Alright onto your question.
I noticed that your offline access token was extremely long, are you sure you’re not passing in a session token?
A session token is a JWT token which represents a short lived session between your app and a specific Shopify merchant’s staff.
This session token can be exchanged for an offline token which is much shorter and can be used to authenticate against the Admin API.
Hey @Dylan, thanks for pointing it out, I’ll be more careful from now on. The issue was on my end- in my app, the access token is encrypted before being stored in the database, and I mistakenly used the encrypted token directly in the request. That’s what caused the problem, but it’s been resolved now. Thanks!