CORS error on Storefront API 2026-01 — X-Shopify-UniqueToken not in Access-Control-Allow-Headers #3498
Description
What is the location of your example repository?
https://github.com/Shopify/hydrogen/tree/main/templates/skeleto
Which package or tool is having this issue?
Storefront API
What version of that package or tool are you using?
2026-01
What version of Remix are you using?
React Router 7.12.0 (migrated from Remix)
Steps to Reproduce
Environment:
@shopify/hydrogen 2026.1.0
@shopify/hydrogen-react 2026.1.0 (client-side ShopifyProvider)
Storefront API version: 2026-01
Endpoint: https://{store}.myshopify.com/api/2026-01/graphql.json
Affected browser: Mobile Safari (iOS 18.x), reproducible on desktop Safari
Store: aloha-collection.myshopify.com
Issue:
Client-side cart creation via ShopifyProvider / CartProvider fails with a CORS preflight error on the 2026-01 Storefront API endpoint. The browser-side fetch sends an X-Shopify-UniqueToken request header that is not included in the Access-Control-Allow-Headers response from Shopify's API.
Console errors:
Request header field X-Shopify-UniqueToken is not allowed by Access-Control-Allow-Headers. Fetch API cannot load https://aloha-collection.myshopify.com/api/2026-01/graphql.json due to access control checks.
Impact:
Cart creation fails silently. The cart status goes from "creating" → CORS block → "uninitialized". Customers cannot add any product to cart. The issue affects all browser-side cart mutations (cartCreate, linesAdd) made with a public Storefront API token against the 2026-01 endpoint.
This does not occur on the 2025-07 endpoint. The X-Shopify-UniqueToken header appears to be new in 2026-01 but has not been added to the CORS allowlist on Shopify's side.
Repro steps:
- Hydrogen storefront using @shopify/hydrogen@2026.1.0
- ShopifyProvider configured with storefrontApiVersion: '2026-01' and a public storefront token
- Browser-side CartProvider attempts cartCreate mutation
- Preflight OPTIONS request is rejected — X-Shopify-UniqueToken not in Access-Control-Allow-Headers
- Cart creation fails, status remains "uninitialized"
Expected behavior:
X-Shopify-UniqueToken should be included in Access-Control-Allow-Headers for the 2026-01 Storefront API endpoint, or the client-side library should not send it for public-token (browser) requests.
Workaround:
Rolling back storefrontApiVersion to 2025-07 in the ShopifyProvider config.
Expected Behavior
Client-side Storefront API requests using a public access token should succeed on the 2026-01 endpoint. The X-Shopify-UniqueToken header sent by @shopify/hydrogen-react should be included in the Access-Control-Allow-Headers CORS response.
Actual Behavior
The 2026-01 Storefront API endpoint rejects the browser preflight —
X-Shopify-UniqueToken is not in Access-Control-Allow-Headers. Client-side cart mutations (cartCreate, linesAdd) via CartProvider fail silently. Cart status goes from "creating" → CORS block → "uninitialized". Customers cannot add to
cart. The 2025-07 endpoint does not have this issue.