During the client credentials rotation process, we have to refresh access tokens. My question is what the behavior of Step 5 of of the rotation process for closed stores is, example being when they are frozen due to non payment?
Will it actually refresh access token regardless of the status and if it doesn’t, what are the suggested steps for handling this that don’t require the merchant to access the app directly and go through the auth process?
We do have a few frozen stores that have our app but we would prefer it if we were able to test this on our development stores and staging apps before we rotate client credentials on our production apps.
A much needed feature here is being able to customize dev stores (by customize I mean setting the status, selecting plan apart from the current ones available, setting features associated with the plan, etc.) so we can cover these edge cases before pushing changes to production.
The key safety net here in the docs is: don’t revoke your old client secret until you’ve successfully refreshed every token. That way, even if frozen stores fail to refresh, their existing tokens still work.
For your rotation logic, I’d recommend tracking successes and failures per-store. Keep the old secret alive until all tokens are rotated. For stores that fail, you can retry when they reactivate — though note the refresh token from the Dev Dashboard only lasts 1 hour, so you may need to generate a new one for a later retry window. Alternatively, those merchants will naturally re-trigger the auth flow when they reopen their store and launch your app, which will issue a fresh token tied to the current secret.
Hi @Liam-Shopify, thanks for the info but it doesn’t feel safe to linger too long in the Client credentials rotation limbo where we have both the old and the new client secret. Judging by some older (possibly outdated) topics, stores can be frozen up to 2 years which would mean having both credentials open for an extended period of time.
While I do agree that for most cases this is fixed by merchants simply reopening the app, we do have cases where merchants basically “set and forget” an app since those apps tend to run in the background without much direct interaction (mainly webhook based apps which call the Shopify API in their webhook handlers). In that specific case, failures would occur without the merchant knowing about them.
There are hacky workarounds for notifying merchants in these cases but they are highly situational.
A suggestion for improving the docs would be to list out all possible error codes and messages when requesting a new access token so that we can know what to expect in production environments since we can’t simulate everything on development stores.
1 Like