Description
When Shopify fires the APP_UNINSTALLED webhook, the documentation states that
the access token is still valid at that point. However, in practice, by the time
the webhook reaches our server and is processed, the token is already revoked.
Behavior
Our webhook handler attempts to call the Shopify Admin API using the session's
access token (retrieved via authenticate.webhook()) before deleting the
session from the database — exactly as recommended. Despite this, we consistently
get the following error:
Stack trace points to the Admin API GraphQL call inside the webhook action.
Expected behavior
The access token should remain valid for the duration of the APP_UNINSTALLED
webhook processing, allowing cleanup API calls to Shopify (e.g. deleting a page
created by the app).
Actual behavior
The token is already invalidated by the time the webhook arrives — likely due to
a race condition on Shopify's side between token revocation and webhook delivery.
Workaround
Currently catching the error silently, but this means we cannot reliably clean up
Shopify-side resources (pages, metafields, etc.) on uninstall.
Question
Is this expected behavior? Is there a guaranteed window where the token remains
valid after APP_UNINSTALLED fires? Is there a recommended pattern for
performing Admin API cleanup during uninstall?
Description
When Shopify fires the
APP_UNINSTALLEDwebhook, the documentation states thatthe access token is still valid at that point. However, in practice, by the time
the webhook reaches our server and is processed, the token is already revoked.
Behavior
Our webhook handler attempts to call the Shopify Admin API using the session's
access token (retrieved via
authenticate.webhook()) before deleting thesession from the database — exactly as recommended. Despite this, we consistently
get the following error:
Stack trace points to the Admin API GraphQL call inside the webhook action.
Expected behavior
The access token should remain valid for the duration of the
APP_UNINSTALLEDwebhook processing, allowing cleanup API calls to Shopify (e.g. deleting a page
created by the app).
Actual behavior
The token is already invalidated by the time the webhook arrives — likely due to
a race condition on Shopify's side between token revocation and webhook delivery.
Workaround
Currently catching the error silently, but this means we cannot reliably clean up
Shopify-side resources (pages, metafields, etc.) on uninstall.
Question
Is this expected behavior? Is there a guaranteed window where the token remains
valid after
APP_UNINSTALLEDfires? Is there a recommended pattern forperforming Admin API cleanup during uninstall?