We’ve created a public app using the standard OAuth flow and installed it on several stores individually. Each store installation generates its own access token, and we are using the correct {store}.myshopify.com
domain when making authenticated API calls.
However, we’ve encountered a critical issue:
When calling the products endpoint using the access token for a specific store (e.g., store-A.myshopify.com
), the response appears to include products from multiple stores, not just the one the token is scoped for.
To clarify:
- Each store has its own access token and is making requests to its own store domain.
- We are not using a single shared token across stores.
- This behavior was verified by checking the returned product data, which includes items that should only exist in other stores.
- Our backend does not merge or mix data across tenants — all requests are scoped by store domain and token.
This seems to violate the expected behavior that each access token should only be valid for a single store’s data.
Could you please help us understand how this might be happening?
Is there any known issue or misconfiguration that could cause cross-store data to appear in the API response?