Shopify
[Bug]: Cannot provide a custom app access token to --password flag
Please confirm that you have:
- [x] Searched existing issues to see if your issue is a duplicate. (If you’ve found a duplicate issue, feel free to add additional information in a comment on it.)
- [x] Reproduced the issue in the latest CLI version.
In which of these areas are you experiencing a problem?
Theme
Expected behavior
Provide a custom app access token to authenticate with the store that you want to work on.
To authenticate using an access token, pass the --password flag with each command that you want to run against the store.
Actual behavior
Command shopify theme dev --password shpat_*** exits with error Invalid password. Please generate a new password from the Theme Access app.
Interestingly, CLI authenticates to store without errors when running other CLI commands!?
Verbose output
Verbose output
2025-09-18T20:31:53.271Z: Analytics event sent: {
"command": "theme dev",
"time_start": 1758227512286,
"time_end": 1758227512446,
"total_time": 160,
"success": false,
"cli_version": "3.84.1",
"ruby_version": "",
"node_version": "24.1.0",
"is_employee": false,
"uname": "linux amd64",
"env_ci": false,
"env_plugin_installed_any_custom": false,
"env_plugin_installed_shopify": "[\"@shopify/cli\"]",
"env_shell": "bash",
"env_device_id": "a4998d4a8b9461fdde65077bbe4967d5c64ba448",
"env_cloud": "localhost",
"env_package_manager": "npm",
"env_is_global": true,
"env_auth_method": "none",
"env_is_wsl": false,
"env_build_repository": "Shopify/cli",
"cmd_app_warning_api_key_deprecation_displayed": false,
"cmd_all_timing_network_ms": 0,
"cmd_all_timing_prompts_ms": 0,
"cmd_all_launcher": "unknown",
"cmd_all_topic": "theme",
"cmd_all_plugin": "@shopify/theme",
"cmd_all_force": false,
"cmd_all_verbose": true,
"cmd_all_path_override": true,
"cmd_all_path_override_hash": "43473b8a8b37ed3c2f77ef0ba9648c5dc2692369",
"cmd_all_timing_active_ms": 160,
"cmd_all_exit": "expected_error",
"user_id": "unknown",
"request_ids": [],
"args": "-e development --verbose",
"cmd_all_environment_flags": "{\"store\":\"e864d7.myshopify.com\",\"password\":\"shpat_***\",\"storefront_token\":\"f981****\"}",
"error_message": "Invalid password. Please generate a new password from the Theme Access app.",
"env_plugin_installed_all": "[\"@shopify/cli\"]",
"metadata": "{\"extraPublic\":{},\"extraSensitive\":{}}"
}
Reproduction steps
- Generate access token for custom apps in the Shopify admin
- Pass the access token to
--passwordflag withshopify theme devcommand
Operating System
openSUSE Tumbleweed
Shopify CLI version (shopify --version)
@shopify/cli/3.84.1 linux-x64 node-v24.1.0
Shell
Bash
Node version (run node -v if you're not sure)
v24.1.0
What language and version are you using in your application?
No response
I'm a little confused here. You mention that you're running shopify theme dev but trying to use a custom app password token which is for apps, not themes.
Themes do have a concept of token-based passwords but they are generated through the Theme Access app.
I'm a little confused here. You mention that you're running
shopify theme devbut trying to use a custom app password token which is for apps, not themes.Themes do have a concept of token-based passwords but they are generated through the Theme Access app.
Thank you, my confusion on this issue comes from the Shopify docs:
You can use the following authentication methods to work on a theme in a Shopify store using Shopify CLI:
It seems to be saying that providing a custom app access token to the --password flag will authenticate to the store you want to work on, given the custom app has right API access scopes. Actually this method was working for me on previous versions. It's doubly confusing to me b/c on 3.84 passing the token to all other CLI commands works as expected except for when running shopify theme dev ...
Very interesting! Let me have a look, it's been a while since I've poked at the auth flow.
Just as a follow up here: we're still talking about whether we want to officially support custom app tokens due to their inferior behavior in theme dev (for example, no hot module reloading).