Question posted in 
I am trying to install our public app on a Shopify store and the code returned in the redirect URL is used for generating the access token.
But our call to Shopify API for generating access token is always resulting in the following error:
“oauth error invalid request the authorization code was not found or already used”
Process followed:
As soon as the Shopify show onwer clicks to accept the installation of our app, he gets redirected to the following URL:
http://mywebsite.com/?code=d119551fb7cdd820012c6b2cb7b12495&hmac=10976937c09a1f1e3db6275d12cae8fbd43415a6d5b031ec14a70128b8fe9dfe&shop=<retailer>.myshopify.com&state=11122777×tamp=1478065253
mywebiste.com is our website which integrates with the Shopify Shop and accesses various APIs through the access token and .myshopify.com is the actual Shopify Shop.
This redirected URL is being provided to us by the Shopify Shop owner in an email.
This URL contains the code parameter. We take this code parameter and hit another Shopify API for generating the access token – using the following URL:
https://<retailer>.myshopify.com/admin/oauth/access_token and pass the following 3 POST parameters : client_id, client_secret and code
We haven’t yet written the program for the creation of access token, instead we do this process of generating the access token through POSTMAN, which is a manual process. We are planning to write the script which will automatically parse the redirected URL and generate the access token, but as of now we are doing this manually.
Let me know any other details you will require and I will provide it.
I have created a similar request on Shopify forums but they also suggested to put this question on StackOverflow for experts to have a look.
Thanks!
Sharad
3
Answers
We decided on working with our customer and figured out that our customer was clicking back button on the browser when he was getting redirected to our server after the app installation. This action was taking our customer back to their admin page and in effect rendering the generated code as used. So, in actuality the code was already used before we could use to generate the access token.
We stopped the user from clicking the back button on the browser and used the code generated, in the first instance, for generating the access token and it worked. Thank you Jamie for your input related to "codes have a lifespan and can be used only once" - this set me thinking.
Regards, Sharad
It sounds like the
codeShopify is providing you is expiring while you’re waiting for the store owner to share it with you. I would recommend creating a development store so you have access to the code as soon as it’s returned by Shopify. You can find instructions on creating a development store here.Why is the redirection URL being provided in an e-mail?
Authorization codes have a limited lifespan and can only be used exactly once. The authorization code should be exchanged for an access token immediately after it is issued.
I would suggest taking another read through the OAuth documentation as your current flow doesn’t seem to line up with what is described in the docs.
https://help.shopify.com/api/getting-started/authentication/oauth