Storefront Access Token Creation Issue #2073

Joao_Gabriel_Alves_P · February 6, 2025, 12:57pm

Issue summary

The storefrontAccessTokenCreate mutation is consistently returning ACCESS_DENIED, whereas it previously worked without issues. This behavior change occurred without any documented updates from Shopify.

Note: The issue persists even when testing with a new sales channel app.

Current App Scopes

read_content,read_markets,read_products,read_reports,unauthenticated_read_checkouts,unauthenticated_read_customer_tags,unauthenticated_read_customers,unauthenticated_read_product_listings,unauthenticated_read_product_tags,unauthenticated_read_selling_plans,unauthenticated_write_checkouts,write_customers,write_discounts,write_orders,write_themes

Expected Behavior

The mutation should successfully create and return a new storefront access token
If there are permission issues, the error response should provide actionable details about:
- Why the access was denied
- What permissions are missing
- How to resolve the issue

Actual behavior

The mutation consistently returns ACCESS_DENIED without additional context.

Steps to reproduce the problem

Install Shopify GraphQL app with all available scopes
Execute the following mutation:

mutation StorefrontAccessTokenCreate($input: StorefrontAccessTokenInput!) {
  storefrontAccessTokenCreate(input: $input) {
    userErrors {
      field
      message
    }
    storefrontAccessToken {
      accessToken
    }
  }
}

Observe the ACCESS_DENIED error response

Stefano_Vidmar · February 6, 2025, 4:42pm

Sorry not here to answer you question but was hoping if you could shine some light for me. So I have custom hydrogen application I want to implement my own custom auth like signing up the user through my own onboarding flow etc ofc I know graph QL admin has a bunch of mutations but I’m kind lf lost as to what orders things need to be done and the session. I saw there is a mutation called createCustomer and also createCustomerAccessToken I’m lost as in the order / flow of things essentially I have wall the inputs for the mutations but just unsure of the sequence of mutations I need to perform I would truly appreciate if you could take few minutes to answer me and I’ll keep looking into if i find something i will share too

Vladyslav_Muraviov · February 19, 2025, 3:30pm

I have the same problem, is there any solution?

Topic		Replies	Views
storefrontAccessTokenCreate Access Denied GraphQL Admin API Troubleshooting general-gql-troubles	9	67	March 10, 2025
customerAccessTokenCreate mutation doesn't return "CUSTOMER_DISABLED" error code Hydrogen and Storefront APIs storefront-api	3	59	November 13, 2024
Building my own auth flow (ofc using the graph QL mutations) GraphQL Admin API Troubleshooting general-gql-troubles	0	8	February 6, 2025
{"errors": "[API] Invalid API key or access token (unrecognized login or wrong password)"} GraphQL Admin API Troubleshooting general-gql-troubles	14	392	November 14, 2024
Admin Extension graphql 401 unauthorized Extensions admin-ui-extensions	3	63	October 29, 2024