Urgent: Investigation into 401 Errors for /private_access_tokens Endpoint - Potentially a Shopify Behavior?

Extensions
1

Hello Shopify Community,

I’m writing to raise awareness and seek clarification on a peculiar network request that we’ve observed on multiple stores. This request to a /private_access_tokens endpoint is consistently failing with a 401 Unauthorized error, and its origin is causing confusion for merchants, who are mistaking it for malicious activity from third-party apps.

Background

This investigation began after a merchant reported what they believed to be malicious JavaScript injected by a third-party app. They observed a script making unauthorized requests and, through their own process of elimination, concluded that a specific app was the culprit.

Here are the technical details they provided:

  • Malicious Code Found: fetch('/private_access_tokens' + location.search).catch(() => {});

  • Behavior: The code was dynamically injected into the <head> section, had no identifying attributes, and seemed to trigger on pages with “payment” in the URL, generating 401 console errors.

  • Conclusion: The merchant uninstalled an app, and the script disappeared, leading them to believe the app was responsible.

Our Analysis and Findings

We took this report very seriously and conducted our own investigation. While we were able to reproduce the network error, our findings suggest this is not an issue caused by a specific third-party app, but rather, it appears to be related to the Shopify platform itself.

Here’s what we discovered:

  1. Reproducible on Clean Stores: We successfully reproduced the exact same 401 error on our own clean, internal demo store where the app the merchant mentioned (and many other common apps) has never been installed.

  2. Consistent Reproduction Steps: The error appears consistently under specific conditions on any store we’ve tested.

  3. Platform-Level Indication: The script is injected inline within the <head>, often situated between other standard Shopify scripts, which points towards it being a Shopify-native script rather than a poorly implemented script from an app.

How to Reproduce the Issue

You can likely verify this on your own development or live store by following these steps:

  1. Log in to the storefront with a customer account.

  2. Add any product to the cart.

  3. Proceed to the checkout page.

  4. Open your browser’s Developer Tools and navigate to the Network tab.

  5. Filter for sf_private_access_tokens.

  6. You will likely see a GET request to https://<your-store-domain>/private_access_tokens?... that has failed with a 401 status code.

    Attaching a video of freshly installed store that seems to be calling the same api without any apps installed
    https://drive.google.com/file/d/1jmuOd7IrC1bboDEIAb1nhJiWVT0TeZ48/view?usp=sharing

2

Have the save behaviour at checkout page - get request to the same endpoint with 401 status code

3

This is by design. Private Access Tokens are a specification from Apple used to identify real users on Apple devices. This is a bot and spam protection mechanism.

You can read more about this specification from Apple directly here and see some extra information from Cloudflare here.

These requests are supposed to return a 401 response, as per the specification:

Token Challenge and Redemption To send a challenge, your server needs to post a HTTP 401 response to a request made by the client with a “WWW-Authenticate” header containing a “PrivateToken” challenge.

Hope that helps!

4

Thanks @Kristofer-Shopify - will let the merchant know !