We are reaching out to report an issue affecting our production payment status flow for multiple merchants.
Starting March 16, 2026 around 21:00 IST, our service began receiving HTTP 429 responses from the Shopify payments_apps GraphQL endpoint used in our updatePaymentStatusInShopify flow. However, the response is not Shopify’s standard GraphQL throttling response. Instead, we are receiving a Cloudflare managed bot challenge HTML page with the message:
“Your connection needs to be verified before you can proceed”
We also see the Cloudflare managed challenge type as managed, along with a sample Ray ID: 9de631b6ff99a9f3
This is occurring on requests to: POST https://{store_name}.myshopify.com/payments_apps/api/{version}/graphql.json
GraphQL mutations involved:
-
paymentSessionPending -
paymentSessionResolve
This is distinct from Shopify’s normal API rate-limit response, which we do not see in these cases. The standard Shopify throttling response is JSON with "message": "Throttled" and GraphQL cost details, but that is not what we are receiving.
What we have observed:
-
The issue affects all merchants.
-
It started at a specific time on March 16, 2026 and has continued since then.
-
The errors appear in short bursts at roughly 12-hour intervals, typically around midnight and noon.
-
The response body is consistently a Cloudflare managed challenge page.
We would appreciate your help in investigating whether our requests are being blocked by Cloudflare or another edge protection mechanism, and whether any allowlisting or server-side remediation is required from Shopify’s side.