On 7 May 2026, Shopify published a notice in their developer changelog: stricter rate limits were being applied to bots and automated tools accessing Shopify-hosted storefronts. Tools that don't authenticate properly would be throttled or blocked outright. If you missed that update, Ahrefs made sure you noticed it anyway. Shortly after, Site Audit started throwing 403 errors on Shopify stores, with a warning banner explaining exactly why. The fix is simple, and once it's done, you won't need to think about it again for three months.
What's actually going on
Shopify now uses something called Web Bot Auth, a system based on HTTP message signatures that lets merchants tell Shopify which automated tools are authorised to access their store. Think of it as a secure key you generate in your Shopify admin and hand to your crawling tool. If the tool presents that key on every request, Shopify lets it through without throttling it. If it doesn't, Shopify assumes it's an uninvited guest and treats it accordingly.
Ahrefs has updated its Site Audit product to support this, so the fix sits entirely on your side. There are two parts: generating the signature in Shopify, and pasting it into Ahrefs.
Step 1: Generate your signature in Shopify Admin
Go to Online Store > Preferences in your Shopify admin. Scroll down until you find the Crawler access section. Click Create signature.
You'll be asked to give it a name, choose your domain, and set an expiry date. Be descriptive with the name. Something like "Ahrefs Site Audit" is better than "Crawler 1" when you're managing multiple signatures later. Note that signatures expire after a maximum of three months, so you'll need to repeat this process quarterly.
Once created, Shopify generates three values: Signature, Signature-Input, and Signature-Agent. Copy all three. The Signature-Agent value will always be "https://shopify.com" but copy it anyway rather than typing it manually.
Step 2: Add the headers to Ahrefs Site Audit
Open Ahrefs and navigate to your Site Audit project. Go into the project Settings, then find the Custom HTTP Headers section.
Add three headers using the values you copied from Shopify:
Header name: Signature → paste your Signature value Header name: Signature-Input → paste your Signature-Input value Header name: Signature-Agent → paste your Signature-Agent value (the "https://shopify.com" one)
Save your settings and trigger a new crawl. The 403 errors should be gone, and Ahrefs will have full access to crawl your store properly.
Don't forget!
Signatures last up to three months. When yours expires, Ahrefs will start hitting 403 errors again and you'll need to generate a new signature in Shopify and update the headers in your project settings. Put a reminder in your calendar now. Three months passes faster than you'd think.
One more thing worth knowing: each signature is tied to a single domain. So if your store runs multiple domains across different markets, say a .com, .co.uk, .ie, and .fr, each one needs its own signature, and each corresponding Ahrefs Site Audit project needs its own headers configured. It's the same five-minute process repeated per domain, but worth factoring in before you assume one signature covers everything.
Why this matters for your SEO data
If your Ahrefs audit has been failing silently, you've been making SEO decisions based on incomplete data. Technical issues go undetected, internal linking gaps get missed, and your health score is essentially meaningless. Accurate crawling is the foundation of any halfway decent technical SEO process, and on Shopify this fix is now a prerequisite for getting reliable data.
We did this for our own site at oglesbymedia.com, and it took less than five minutes. If you're running audits across multiple client stores, you'll need to repeat the process for each one and manage the expiry dates separately.
Don't want to manage this yourself?
If you'd rather not manage this yourself, we set this up as part of our Shopify SEO services. Get in touch with Oglesby Media and we'll make sure your audit tools are running cleanly so your SEO data is actually worth looking at.
