From e48f2aaea5db31e415868626b645e7180e1f26aa Mon Sep 17 00:00:00 2001
From: Josh Faigan <josh.faigan@shopify.com>
Date: Fri, 16 Jan 2026 11:45:05 -0500
Subject: [PATCH 1/2] only send auth headers for proxied theme requests

---
 .changeset/little-zebras-cut.md                    |  5 +++++
 .../src/cli/utilities/theme-environment/proxy.ts   | 14 +++++++++-----
 .../theme-environment/theme-environment.test.ts    |  1 -
 3 files changed, 14 insertions(+), 6 deletions(-)
 create mode 100644 .changeset/little-zebras-cut.md

diff --git a/.changeset/little-zebras-cut.md b/.changeset/little-zebras-cut.md
new file mode 100644
index 00000000000..bc2c03eb438
--- /dev/null
+++ b/.changeset/little-zebras-cut.md
@@ -0,0 +1,5 @@
+---
+'@shopify/theme': patch
+---
+
+Only send authorization headers when it's a theme request for proxy requests
diff --git a/packages/theme/src/cli/utilities/theme-environment/proxy.ts b/packages/theme/src/cli/utilities/theme-environment/proxy.ts
index 197ff16d1a7..d228837ef64 100644
--- a/packages/theme/src/cli/utilities/theme-environment/proxy.ts
+++ b/packages/theme/src/cli/utilities/theme-environment/proxy.ts
@@ -306,15 +306,19 @@ export function proxyStorefrontRequest(event: H3Event, ctx: DevServerContext): P
   const headers = getProxyStorefrontHeaders(event)
   const body = getRequestWebStream(event)
 
-  const finalHeaders = cleanHeader({
+  const baseHeaders: {[key: string]: string} = {
     ...headers,
     ...defaultHeaders(),
-    Authorization: `Bearer ${ctx.session.storefrontToken}`,
-    // Required header for CDN requests
     referer: url.origin,
-    // Update the cookie with the latest session
     Cookie: buildCookies(ctx.session, {headers}),
-  })
+  }
+
+  // Only include Authorization for theme dev, not theme-extensions
+  if (ctx.type === 'theme') {
+    baseHeaders.Authorization = `Bearer ${ctx.session.storefrontToken}`
+  }
+
+  const finalHeaders = cleanHeader(baseHeaders)
 
   // eslint-disable-next-line no-restricted-globals
   return fetch(url, {
diff --git a/packages/theme/src/cli/utilities/theme-environment/theme-environment.test.ts b/packages/theme/src/cli/utilities/theme-environment/theme-environment.test.ts
index cd2139c5abd..02508a5ee67 100644
--- a/packages/theme/src/cli/utilities/theme-environment/theme-environment.test.ts
+++ b/packages/theme/src/cli/utilities/theme-environment/theme-environment.test.ts
@@ -872,7 +872,6 @@ describe('setupDevServer', () => {
           headers: expect.objectContaining({
             referer,
             'User-Agent': expect.stringContaining('Shopify CLI'),
-            Authorization: expect.stringContaining('Bearer'),
           }),
         }),
       )

From 44a3911dd40cf6cfad3b50c339396d28235f9138 Mon Sep 17 00:00:00 2001
From: Gonzalo Riestra <gonzalo.riestra@shopify.com>
Date: Mon, 19 Jan 2026 09:57:12 +0100
Subject: [PATCH 2/2] Remove unneeded changeset

---
 .changeset/little-zebras-cut.md | 5 -----
 1 file changed, 5 deletions(-)
 delete mode 100644 .changeset/little-zebras-cut.md

diff --git a/.changeset/little-zebras-cut.md b/.changeset/little-zebras-cut.md
deleted file mode 100644
index bc2c03eb438..00000000000
--- a/.changeset/little-zebras-cut.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-'@shopify/theme': patch
----
-
-Only send authorization headers when it's a theme request for proxy requests