Hi, I have a Shopify application that has been active for 4+ years. I’ve never previously had any issues with OAuth. All of a sudden I’ve begun to receive 401 error response for all endpoints when using the access tokens from newly OAuth’d users.
This is the response body:
{“errors”:“[API] Invalid API key or access token (unrecognized login or wrong password)”}
I have not made any code changes to the integration is 2+ months, and this started happening in the past week. Virtually all new stores that connect have this issue in the past week. However my test stores are still working successfully.
I’m using GraphQL, however the legacy REST API endpoints are failing with the same response code (401):
curl -i \
-H "X-Shopify-Access-Token: ${TOKEN}" \
https://${SHOP}.myshopify.com/admin/api/2025-01/shop.json
Response:
HTTP/2 401
date: Sat, 27 Dec 2025 19:46:27 GMT
content-type: application/json; charset=utf-8
x-sorting-hat-podid: 244
x-sorting-hat-shopid: 63705383157
referrer-policy: origin-when-cross-origin
x-frame-options: DENY
x-shopid: 63705383157
x-shardid: 244
www-authenticate: Basic Realm="Shopify API Authentication"
strict-transport-security: max-age=7889238
x-request-id: ac1f9283-c85b-459f-a6d2-1d2350c979d0-1766864787
server-timing: processing;dur=14, verdict_flag_enabled;desc="count=3";dur=0.678, _y;desc="018620ea-e5ed-423c-8380-00a232e19d33", _s;desc="160f9f41-5bd7-41aa-94c2-9e6fbfd3b519"
content-security-policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src https://cdn.shopify.com https://cdn.shopifycdn.net https://checkout.pci.shopifyinc.com https://checkout.pci.shopifyinc.com/build/04ed4e1/card_fields.js https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://js.braintreegateway.com https://c.paypal.com https://maps.googleapis.com https://www.google-analytics.com https://v.shopify.com 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=show&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fshops&source%5Bsection%5D=admin_api&source%5Buuid%5D=ac1f9283-c85b-459f-a6d2-1d2350c979d0-1766864787; report-to shopify-csp
x-content-type-options: nosniff
x-download-options: noopen
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
reporting-endpoints: shopify-csp="/csp-report?source%5Baction%5D=show&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fshops&source%5Bsection%5D=admin_api&source%5Buuid%5D=ac1f9283-c85b-459f-a6d2-1d2350c979d0-1766864787"
x-dc: gcp-us-east1,gcp-us-east1,gcp-us-east1
alt-svc: h3=":443"; ma=86400
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yQ9hRMj6W9X5KaxetQmalm4n%2Fl3xGujcqUV%2FJaF6JH%2FAmntWgnvdCbwo9igRXlDaY9l%2B9JWaJMj6iV2u6H8IywDZeLx5vbx8NhPIgsEIXGJrIPR99MuzPxnKG1Y55YFBIDENRSjSkxzNFaRhQn1mfYN%2FNcnlAA%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
server-timing: cfRequestDuration;dur=117.000103
server-timing: ipv6
server: cloudflare
cf-ray: 9b4b52f97b800c97-SJC
{"errors":"[API] Invalid API key or access token (unrecognized login or wrong password)"}%
Has anyone else experienced this issue?
If so, do you know what could have changed here?