Shopify APP: Failed to validate session token: Failed to parse session token 'xxxxxxxx': signature verification failed

Dev Platform
1

Greetings,

Please help me to fix issue, that I’m struggling to deploy shopify app on server.

I create sample app with command shopify app init and selected React Router 7 / Javascript.
Then run shopify app dev, its working fine in local.

I setup application_url, redirect_urls in shopify.app.toml file and deployed app. SHOPIFY_API_KEY, SHOPIFY_API_SECRET and SCOPES copied from shopify app env show command.

Environment:

  • Framework: Remix / React Router (Shopify App Template)

  • Deployment: AWS (Amazon Linux) with Nginx Reverse Proxy

  • Database: MySQL

  • Setup SSL

untouched code hosted on server, setup prisma and loaded .env variable. When running app, dashboard coming blank, debug log are:

[2026-02-12T13:20:51Z] [shopify-app/INFO] Authenticating admin request | {shop: xxxxxxxxxx.myshopify.com}

[2026-02-12T13:20:51Z] [shopify-app/DEBUG] Attempting to authenticate session token | {shop: xxxxxxxxxx.myshopify.com, sessionToken: {"search":"xxxxxxxx"}}

[2026-02-12T13:20:51Z] [shopify-app/DEBUG] Validating session token | {shop: xxxxxxxxxx.myshopify.com}

[2026-02-12T13:20:51Z] [shopify-app/INFO] Authenticating admin request | {shop: xxxxxxxxxx.myshopify.com}

[2026-02-12T13:20:51Z] [shopify-app/DEBUG] Attempting to authenticate session token | {shop: xxxxxxxxxx.myshopify.com, sessionToken: {"search":"xxxxxxxx"}}

[2026-02-12T13:20:51Z] [shopify-app/DEBUG] Validating session token | {shop: xxxxxxxxxx.myshopify.com}

[2026-02-12T13:20:51Z] [shopify-app/DEBUG] Failed to validate session token: Failed to parse session token 'xxxxxxxx': signature verification failed | {shop: xxxxxxxxxx.myshopify.com}

[2026-02-12T13:20:51Z] [shopify-app/DEBUG] Failed to validate session token: Failed to parse session token 'xxxxxxxx': signature verification failed | {shop: xxxxxxxxxx.myshopify.com}

[2026-02-12T13:20:51Z] [shopify-app/DEBUG] Authenticate returned a response | {shop: xxxxxxxxxx.myshopify.com}

[2026-02-12T13:20:51Z] [shopify-app/DEBUG] Authenticate returned a response | {shop: xxxxxxxxxx.myshopify.com}

GET /app?embedded=1&hmac={hmac}&host={host}&id_token={xxxxxxxx}&locale=en&session={session}&shop=xxxxxxxxxx.myshopify.com&timestamp=1770902449 302 - - 21.108 ms
[2026-02-12T13:20:51Z] [shopify-app/DEBUG] Rendering bounce page | {shop: xxxxxxxxxx.myshopify.com}

[2026-02-12T13:20:51Z] [shopify-app/DEBUG] Authenticate returned a response | {shop: xxxxxxxxxx.myshopify.com}

GET /auth/session-token?embedded=1&hmac={hmac}&host={host}&locale=en&session={session}&shop=xxxxxxxxxx.myshopify.com&timestamp=1770902449&shopify-reload=https%3A%2F%2Fmydomain.com%2Fapp%3Fembedded%3D1%26hmac%{hmac}%26host%{host}%26locale%3Den%26session%{session}%26shop%3Dxxxxxxxxxx.myshopify.com%26timestamp%3D1770902449 200 - - 5.364 ms

and then stuck.

Browser console has no error.

I can’t understand what I’m missing, please help to resolve issue.

complete code here GitHub - jivansuhagiya/shopify-remix · GitHub

2

Can you share the code snippet that is actually performing the authentication?

3

Hi @Dylan ,
Thank you your reply, here is the complete code

4

Hi @Jivan_Suhagiya - I took a look at your repo and the code itself is fine, it’s essentially the stock React Router template with some additional logging added. Nothing in it should cause a signature verification failure. The problem is very likely in your production environment variables.

The “signature verification failed” error means the library is verifying the session token JWT against your SHOPIFY_API_SECRET, and the value doesn’t match. In your shopify.server.js you have apiSecretKey: process.env.SHOPIFY_API_SECRET || "", so if that env var is empty or incorrect on your server, the signature check will always fail. During local dev, shopify app dev injects these automatically, but when you deploy to your own hosting you need to set them yourself.

You mentioned setting SHOPIFY_API_KEY, SHOPIFY_API_SECRET, and SCOPES, but SHOPIFY_APP_URL is also required. Without it, appUrl defaults to an empty string in your config and authentication won’t work properly. It should match the application_url in your shopify.app.toml. You’ll also want to confirm you ran shopify app deploy with your production config to sync those URLs with Shopify.