Receiving intermittent 429 Errors with Shopify's admin/oauth/access_token API

Diwakar_Dekkala · April 17, 2025, 5:52am

Hi everyone,

I’m encountering an intermittent issue when attempting to exchange an authorization code for an access token using the Shopify admin/oauth/access_token endpoint. Over the past two days, there’s been an increase in HTTP 429 responses for this endpoint. In the 429’s responses, the response headers include cf-mitigated: challenge, suggesting that Cloudflare might be issuing challenges to these requests.

Notably, these endpoint responses lack the X-Shopify-Shop-Api-Call-Limit header that typically appears in API responses. The presence of the cf-mitigated: challenge header is interesting, but I’m not certain about the exact source of these 429 errors.

For context, we’re making on average 30–40 requests per hour to this endpoint for different stores, so the request frequency isn’t particularly high.

Questions:

Has anyone else experienced similar 429 errors with the cf-mitigated: challenge header when interacting with Shopify’s OAuth endpoints?
Could there be other causes for these 429 errors besides Cloudflare challenges?
Are there any known limitations or special considerations for the admin/oauth/access_token endpoint that differ from other Shopify API endpoints?
Has Shopify recently changed any policies or limits related to OAuth token exchange that might explain this behavior?

Any insights or recommendations on how to address this would be greatly appreciated.

Thank you!

gadget_kyle · April 25, 2025, 7:07pm

We are also seeing this happen at a very elevated rate for the past 3-4 days

airhorns · April 26, 2025, 1:50am

It definitely seems like 429 errors for retrieving access tokens has spiked anomalously, but may have been fixed already? Can anyone from Shopify comment on what might have happened here?

Here’s the past 15 days of the status codes we’ve been seeing on this endpoint from Shopify, see the big spike of orange (429) responses:

tucosaurus · April 28, 2025, 6:37am

@airhorns @gadget_kyle - We switched to using a residential proxy to solve this since it seems cloudflare is incorrectly identifying the app servers as a bot.

airhorns · April 28, 2025, 10:42am

Terrifying. The issue has stopped for us since Apr 24, 14:00:00 EST as shown in that graph.

airhorns · May 1, 2025, 12:06pm

This error pattern has started happening intermittently again for us since about April 30th 3PM EST. It comes and goes and seems uncorrelated with the actual amount of traffic we’re sending to this endpoint.

eytan-shopify · May 1, 2025, 2:19pm

Hey all - acknowledged on this issue and we are digging into it. We will report back once we have more detail.

TerenceShopify · May 1, 2025, 3:30pm

FYI we believe we have resolved the underlying issue that was causing these 429 responses. Please let us know if this problem continues to occur, and thank you again for letting us know about it.

safwan · May 2, 2025, 8:32am

Still happening for me sir

eytan-shopify · May 2, 2025, 11:51am

Is it happening on this specific endpoint admin/oauth/access_token ?

Topic		Replies	Views
Recent 400 Errors Referencing CloudFlare GraphQL Admin API Troubleshooting rest-migration , general-gql-troubles	2	31	April 4, 2025
Bug: Double Requests from Shopify Admin iFrame Issue Authentication & Access oauth	3	40	May 7, 2025
Bug: 429 page errors are too aggressive Partner Discussions dev-stores	12	76	May 7, 2025
CORS Error: Response to preflight request doesn't pass access control check Extensions theme-app-extension	4	315	February 3, 2025
Sudden invalidation of offline access tokens? Authentication & Access oauth	9	151	February 4, 2025

Receiving intermittent 429 Errors with Shopify's admin/oauth/access_token API

Related topics