Got a couple of 401 errors logged in Sentry about an invalid access token when trying to update a metafield.
After some more digging, it looks like about half of my installed shop’s access tokens are now considered invalid by Shopify when calling the API endpoints.
Definitely not due to the shops uninstalling the app, there’s nothing related in the partners dashboard, and it even affects some of my test stores where I’m certain I’ve not uninstalled the app.
Any ideas why this may have suddenly happened?
Basically, calling the Shopify API using the offline access token returns a 401 error:
{
"errors": "[API] Invalid API key or access token (unrecognized login or wrong password)"
}
I’ve validated this with both the @shopify/shopify-api package and the shopify-api-node package.
Up till now, the app has been running fine for over a year, this has only cropped up in the last couple of days.
Here’s a trace ID in case it helps:
If you report this error, please include this id: 2554145c-0563-454c-9ce3-336ab2e6c705-1738336455
I’ve raised this with Shopify support - Ticket: 54656500, but not heard anything back as yet.
Hi, thanks for the suggestion! I’ve not updated them recently, no, so I don’t think it’s that. Also some shops are affected and some aren’t, so doesn’t seem to be scope related - I’ve tried requesting a simple products GraphQL query that all the shops have been scoped to since the app was created, with the same results, so they should all have that scope.
Here’s a couple of related posts I can find where it looks like something similar has happened. @Rob-Shopify you responded to the first one, did you ever find a resolution?
Possible reasons (you probably already know these, but sharing just in case):
Store closed or frozen – Make sure the store isn’t in a frozen state or closed.
Uninstall & reinstall flow issue – I’ve seen this happen when a store uninstalls the app, but due to an issue in the uninstall flow, the access token in the database isn’t invalidated. If the same store reinstalls, getSessionById might return the old invalid token instead of requesting a new one.
Almost always, this is the issue. Shopify’s API itself is fine, it’s just that the tokens stored in your database aren’t valid anymore. This could also happen if:
You changed the app secret key (all tokens issued with the old key become invalid).
The store’s offline token was refreshed (As far as i know this only happens when they uninstall and reinstall the app).
Hmm, the app “client secret” being changed without the access tokens getting updated seems like it could be the badger, thanks for the suggestion @Gulam_Hussain_Quinn!
Plot twist, you can’t request a new access token via: https://${shop.myshopifyDomain}/admin/oauth/access_token.json without a currently active access token.
So that’s not much help.
Is there really no way to get a new access token for a shop that’s not uninstalled the app when the old token is invalid?
You can make Shopify create a new token by forcing a re-authentication. Are you using Remix or something else?
But the user has to open your app for this, you can’t trigger it yourself.
When the user opens your app, Shopify checks the session using getSessionById. If you return undefined from this method, Shopify will re-authenticate and create a new token.
To do this, just make sure expired or invalid tokens are removed from your database. If Shopify doesn’t find a session, it will run the auth flow again, just like when the app was first installed.
I nulled out the accessToken and installedViaApiKey fields for my shop record, and that was enough to trigger a silent re-auth when I next logged in to the app.
When I tried to load it in the Shopify admin, the app just looked like it was reloading, didn’t prompt the user, and then when it finished reloading the new accessToken and installedViaApiKey values had been added back in the DB.
I was then able to use that new accessToken successfully to call the API.
