I’m working on a custom Shopify application and running into a frustrating issue. Even though my app has been granted all the necessary permissions, I keep getting a 403 Forbidden error when trying to execute GraphQL mutations through the Storefront API.
I’m using the storefront access token that was generated for my application, but something seems to be wrong with my setup. Here’s the mutation I’m trying to run:
const createUserMutation = `mutation {
customerCreate(
input: {
firstName: "${userDetails.fname}",
lastName: "${userDetails.lname}",
email: "${userDetails.emailAddress}",
password: "${userDetails.userPassword}"
}
) {
customer {
id
firstName
lastName
email
}
customerUserErrors {
field
message
}
}
}`
And here’s how I’m making the API call:
const response = await fetch(process.env.SHOPIFY_STOREFRONT_ENDPOINT, {
body: createUserMutation,
method: 'POST',
headers: {
'X-Shopify-Access-Token': process.env.STOREFRONT_TOKEN,
'Content-Type': 'application/graphql'
}
}).then(result => console.log(result))
I’m really stuck on this one and would appreciate any guidance on what might be causing the forbidden error.
Had this same issue a few months ago - it’s the Content-Type header. The Storefront API is picky about how you format GraphQL requests. Switch your Content-Type from ‘application/graphql’ to ‘application/json’ and wrap your mutation in proper JSON:
const response = await fetch(process.env.SHOPIFY_STOREFRONT_ENDPOINT, {
body: JSON.stringify({ query: createUserMutation }),
method: 'POST',
headers: {
'X-Shopify-Storefront-Access-Token': process.env.STOREFRONT_TOKEN,
'Content-Type': 'application/json'
}
})
Also, use ‘X-Shopify-Storefront-Access-Token’ instead of just ‘X-Shopify-Access-Token’. The Storefront API needs that exact header format. Fixed it for me.
Check your endpoint URL - people often confuse the admin API with the storefront API. For storefront, use yourstore.myshopify.com/api/2023-10/graphql.json, not the admin endpoint. Try a simple query first instead of a mutation to test if your auth’s working.
hey, i had a similar issue! make sure your token has all the necessary permissions, it’s easy to overlook. also, consider changing the headers or wrapping that mutation properly. sometimes the format can cause issues too. good luck!
Check your Shopify store’s customer account settings first. Most stores disable customer registration by default or set it to admin approval only - this’ll throw a 403 even with correct API credentials. Head to Settings > Customer accounts in your admin panel and enable customer registration. I wasted hours debugging API calls before I realized my test store had customer creation locked down. Also make sure your private app has the unauthenticated_write_customers scope enabled in Storefront API permissions. Without it, customerCreate mutations will always fail no matter how you format the request.