Hi Shopify Team
We are being redirected to an HTML page when making GraphQL requests to admin/api/2025-01/graphql.json
Nothing has changed on our side, however this started affecting all of our Shopify connections on September 22nd around 7pm BST
x-correlation-id → 74b4a5290c240257ef9d37123a816f79
Is there anything on your side that could be causing this?
Hey @Codat_Shopify
I was not able to locate the request based on the correlation id provided. Let’s dig in further though to find out what’s happening.
I’ve seen this happen before when there are issues with the request headers or formatting. If you have made any recent changes to your app code around this time maybe double check that the request formatting hasn’t changed.
From there, can you share an example of a request you are making (in CURL format) so I can try and replicate. Make sure to redact any identifying information and tokens.
Here is an example request, and the html response we are getting:
curl --location --request POST ‘ /admin/api/2025-01/graphql.json’
–header ‘Redacted’
–header ‘Content-Type: application/json’
–data-raw ‘{“query”:“query GetProducts {\r\n products(first: 10) {\r\n nodes {\r\n id\r\n title\r\n }\r\n }\r\n}”,“variables”:{}}’
Response:
<noscript>
<a
href="https://accounts.shopify.com/oauth/authorize?client_id=7ee65a63608843c577db8b23c4d7316ea0a01bd2f7594f8a9c06ea668c1b775c&destination_uuid=4f0beae7-98c2-45ba-afe9-df476fa7f961&nonce=992ff6804cc61e362676251c63d88981&prompt=merge&redirect_uri=https%3A%2F%2Fwhites-beaconsfield.myshopify.com%2Fadmin%2Fauth%2Fidentity%2Fcallback&response_type=code&scope=email%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fdestinations.readonly%20openid%20profile%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fpartners.collaborator-relationships.readonly%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fbanking.manage%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fmerchant-setup-dashboard.graphql%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fshopify-chat.admin.graphql%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fflow.workflows.manage%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Forganization-identity.manage%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fmerchant-bank-account.manage%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fshopify-tax.manage&state=bc1298c1c9b9ecf3612a41f37b0973da&ui_locales=en&ux=shop">Continue</a>
</noscript>
<script type="text/javascript" defer>
window.location **=** "https:\\/\\/accounts.shopify.com\\/oauth\\/authorize?client_id=7ee65a63608843c577db8b23c4d7316ea0a01bd2f7594f8a9c06ea668c1b775c\\u0026destination_uuid=4f0beae7-98c2-45ba-afe9-df476fa7f961\\u0026nonce=992ff6804cc61e362676251c63d88981\\u0026prompt=merge\\u0026redirect_uri=https%3A%2F%2Fwhites-beaconsfield.myshopify.com%2Fadmin%2Fauth%2Fidentity%2Fcallback\\u0026response_type=code\\u0026scope=email%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fdestinations.readonly%20openid%20profile%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fpartners.collaborator-relationships.readonly%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fbanking.manage%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fmerchant-setup-dashboard.graphql%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fshopify-chat.admin.graphql%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fflow.workflows.manage%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Forganization-identity.manage%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fmerchant-bank-account.manage%20https%3A%2F%2Fapi.shopify.com%2Fauth%2Fshopify-tax.manage\\u0026state=bc1298c1c9b9ecf3612a41f37b0973da\\u0026ui_locales=en\\u0026ux=shop";
</script>
Trying to replicate here and it’s working as expected for me. Are you able to test in a different API client like Postman?
Thanks for sharing that. If you query the store URL directly instead of through the proxy you have set up, does that work?
Hi @KyleG-Shopify - thank you for your patience. Here is a cURL request which is failing with:
{"errors":"For security reasons, requests using HTTP Basic Authentication cannot include cookies."}
curl --location 'https://commercetests.myshopify.com/admin/api/2025-01/graphql.json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer x' \
--header 'X-Shopify-Access-Token: x' \
--header 'User-Agent: test' \
--cookie "koa.sid=anything; koa.sid.sig=anything" \
--data '{"query":"{results:orders(first:50){items:edges{cursor,item:node{transactions{gid:id,order{id:legacyResourceId},gateway,formatted_gateway:formattedGateway,kind,parent:parentTransaction{id},status,amount_set:amountSet{presentment_money:presentmentMoney{amount,currency_code:currencyCode},shop_money:shopMoney{amount,currency_code:currencyCode}},created_at:createdAt,processed_at:processedAt}}},pageInfo{hasNextPage}}}"}'
Has something changed with Auth/Cookies at Shopify’s end?
Thank you
There was this change, which did start with 2025-01, the version you are using GraphQL Over HTTP - Shopify developer changelog
I’m not sure about cookies specifically though. I have seen errors in the past in postman and usually clearing the cookies in the UI there would work. I’m assuming though that you need them in this case? Does it work when you remove the cookies? Just to narrow it down to cookies as the likely cause and we can dig in further from there.
Yes it works when we remove the cookies, thanks.
Interesting. I just remembered there was also this change not too long ago that may be relevant Deprecation of POST requests without a Content-Length or Transfer-Encoding: chunked header - Shopify developer changelog
What status code is returned when you are getting the HTML response?
Just tested adding cookies like you have and it still did work for me.
This shouldn’t be needed when using the access token.
Thanks. Potentially we have some redundancy there. However, I can confirm service was restored when we removed the cookies at our end.