Token exchange returns invalid_subject_token

endor · February 28, 2025, 2:25pm

Hello.

I have added an order status extension, in which I get the session token and then make a request to my backend. There I’m trying to exchange the session token into an access token and get:

  "error": "invalid_subject_token",
  "error_description": "Token exchange cannot be performed due to an invalid subject token."

This is the frontend code:

const { sessionToken } = useApi();
const token = await sessionToken.get();
fetch('https://myapp.com/api/session-token', {
  headers: {
    Authorization: `Bearer ${token}`,
  },
});

This is the backend code:

const shopify = shopifyApi({
    apiKey: appClientId,
    apiSecretKey: appClientSecret,
    hostName: shopDomain,
    apiVersion: ApiVersion.January25,
    isEmbeddedApp: true,
});

const token = event.headers.authorization.split(' ')[1];

const session = await shopify.auth.tokenExchange({
    shop: shopDomain,
    sessionToken: token,
    requestedTokenType: RequestedTokenType.OnlineAccessToken,
});

remy727 · February 28, 2025, 2:29pm

Can you try with this?

const token = req.query.id_token

endor · February 28, 2025, 2:35pm

Is that in the frontend or the backend? In neither I seem to have a req. In the backend I have access to the query parameters through the event, but since I’m sending the session token in the header, I’m not sending it in the query.

Session Token suggests sending the session token in the header, like I do.

remy727 · February 28, 2025, 2:40pm

Aha, looks like you want to decode JWT.

endor · February 28, 2025, 2:46pm

shopify.auth.tokenExchange does the decoding for me. It’s a shopify lib function, so I would expect it to do the right thing.

remy727 · February 28, 2025, 2:50pm

I think you’re trying to use the session token from your order status extension to call the admin API from your server, right?
This isn’t what this session token is for - it’s meant for you to validate that requests to your server are coming from Shopify and not a malicious third party.

You would need to make sure to:

Verify that the request originated from Shopify via the session token
Set up the appropriate permissioning/access scoping restrictions to ensure that customers can only access data and actions that are relevant to them (i.e. don’t allow a customer to query info about another customer, or edit another customer’s order, etc.)

endor · February 28, 2025, 2:54pm

Yes, that’s what I want to do. Specifically I’d like to request some data about the customer based on their session token.

What is the token exchange meant for, if not for using the session token to get an access token to request data from the API?

If the token exchange is not meant for fetching customer data, what is the correct way to fetch this data?

Kenza_Iraki · February 28, 2025, 3:23pm

Hey @endor, to query data about the customer, you should do that directly from your customer account extension, by querying the Customer Account API. The Admin API is a merchant-facing API, the risk of using it in customer-facing contexts is very high - you could end up accidentally leaking data about other customers or data that shouldn’t be visible to customers at all.

As @remy727 mentioned, the goal of the session token is to validate that the call to your server originated from your extension in customer accounts, and not from a bad actor trying to find a vulnerability in your server.

The token exchange docs you linked to are talking about token exchange in the context of having an admin session token, which would only be the case in merchant-facing context, not in customer-facing contexts.

endor · February 28, 2025, 3:31pm

Ah, okay, that makes a lot of sense.

What I haven’t yet understood is this though: How can I take an action in my backend based on some of the customer’s data?

I can verify that a certain customer id sent a request to my backend based on the session token, but how can I get the additional data that I need to take an action?
If I request that data in the frontend and send it to my backend, it’s not guaranteed that this data is from my extension, only that the data in the session token is from my extension, right?

Kenza_Iraki · February 28, 2025, 3:44pm

What are you trying to do exactly? Mutate customer data? Order data? Something else?

If I request that data in the frontend and send it to my backend, it’s not guaranteed that this data is from my extension, only that the data in the session token is from my extension, right?

No, this isn’t accurate. When you validate the session token, it tells you that the request originated from your extension, so you can trust the entire request, not just the session token.

Edit: I was wrong, data outside of the session token can’t be trusted

endor · February 28, 2025, 3:50pm

I’m trying to work with the seal subscriptions API. In order to do that I need the customer’s email, but the token only contains the id.

I thought I read somewhere that only the token itself can be trusted, not the other data accompanying the request, but I can’t find the place anymore. Could you shortly explain why the whole request is trustworthy? Couldn’t a man-in-the-middle listen to the request and then use the same token but with other data in the request to gain more access?

endor · February 28, 2025, 6:15pm

@Kenza_Iraki Is the correct way then to set up a custom app that allows me to get an admin API token and use that and the customer id in the token to safely look up information?

remy727 · February 28, 2025, 7:12pm

If you are working on subscription app, please check Shopify Subscriptions Reference app.
You can check extensions code.

Kenza_Iraki · March 3, 2025, 12:02pm

@endor

I’m trying to work with the seal subscriptions API. In order to do that I need the customer’s email, but the token only contains the id.

I thought I read somewhere that only the token itself can be trusted, not the other data accompanying the request, but I can’t find the place anymore. Could you shortly explain why the whole request is trustworthy? Couldn’t a man-in-the-middle listen to the request and then use the same token but with other data in the request to gain more access?

You’re right, my bad, a man-in-the-middle could listen to the request and use your token in a malicious way. Ideally, APIs would use the customer id, and not the customer email, since the customer’s email can change, while the id remains the same.

@Kenza_Iraki Is the correct way then to set up a custom app that allows me to get an admin API token and use that and the customer id in the token to safely look up information?

Public apps are able to generate admin API access tokens as well. But once you start needing an admin API token, you need to be able to safely store it in your database and refresh it every 24 hours. Some docs about how that works are here.

Topic		Replies	Views
How can Offline Session tokens be generated for new apps using the latest Shopify App Remix and Token Exchange Process App Bridge app-bridge	6	89	February 10, 2025
Redirect URL for Token exchange not working after app reinstall Authentication & Access oauth , access-scopes	8	147	December 12, 2024
How to authenticate request with session tokens manually? Authentication & Access oauth	5	125	January 15, 2025
Session -> Access Token exchange with managed install query params Authentication & Access oauth	3	106	November 18, 2024
Sending Access Token to Remix app from App Extension Extensions theme-app-extension	4	39	February 28, 2025

Token exchange returns invalid_subject_token

Related topics