Products from Multiple Stores Appearing in API Response

We’ve created a public app using the standard OAuth flow and installed it on several stores individually. Each store installation generates its own access token, and we are using the correct {store}.myshopify.com domain when making authenticated API calls.

However, we’ve encountered a critical issue:
When calling the products endpoint using the access token for a specific store (e.g., store-A.myshopify.com), the response appears to include products from multiple stores, not just the one the token is scoped for.

To clarify:

• Each store has its own access token and is making requests to its own store domain.
• We are not using a single shared token across stores.
• This behavior was verified by checking the returned product data, which includes items that should only exist in other stores.
• Our backend does not merge or mix data across tenants — all requests are scoped by store domain and token.

This seems to violate the expected behavior that each access token should only be valid for a single store’s data.

Could you please help us understand how this might be happening?
Is there any known issue or misconfiguration that could cause cross-store data to appear in the API response?

Hey @Idan_Moradov,

Thanks for sharing that. The API should only return data for the store that is requested and for the scopes that are granted to it.

Can you test in a separate API client like postman to see if you get the same results? That would help narrow down the issue to the API call/response itself, or possibly how the data is being handled in your app.

If you notice the same in an API client, can you share the x-request-id from the API response that returned information from multiple stores?

Hey @Idan_Moradov, Are you still experiencing this issue, or can I mark this as solved?