[OJFord]

Actually I'm not sure that is interesting - from Shopify's perspective it is payment-required. If the shop's dodgy JS sent a malformed request body, you'd get a 400 - even though the bad-request relationship is between the shop and Shopify.

[kedean]

It does violate the contract of 4xx errors though, that a 4xx indicates a client error. If the store hasn't paid up, that's not the clients fault nor can they fix it. It should be some kind of 5xx for customers.

[krainboltgreene]

If an admin disables your account by accident, that's still a 401. Just because the client can't change something, doesn't mean it doesn't fit along with the 4XX brand.

[takeda]

401 means authentication is required. If Shopify is sending that to clients, because admin disabled access, that's just another example of abusing the error codes