How to Get a Shopify Access Token for API Integration

Getting a Shopify access token is one of the most critical steps when building integrations, custom apps, or third-party solutions that interact with your Shopify store. Whether you're a developer building a custom application, an agency managing multiple client stores, or a business automating your Shopify workflows, understanding how to access your Shopify API key and generate tokens is essential.

In 2026, Shopify continues to streamline its API authentication process, but the fundamentals remain consistent. This comprehensive guide walks you through everything you need to know about obtaining and managing Shopify access tokens, with step-by-step instructions and best practices for secure implementation.

What You Need

• A Shopify store account with admin access (staff account with App and Channel Management permissions)
• Access to your store's admin dashboard at https://admin.shopify.com
• A clear understanding of what API scopes your integration requires
• A development environment or application ready to receive and store tokens securely
• Familiarity with REST APIs or GraphQL (depending on your use case)
• SSL/TLS certificates for secure token transmission (HTTPS required)
• A secure method to store tokens (environment variables, encrypted databases, secret managers)

Required API Scopes

Scope	What It Allows
read_products	Access to read product data, including titles, descriptions, prices, variants, and images from your store
write_products	Permission to create, update, and modify products, including adding variants and updating inventory
read_orders	Access to view order information including customer details, order history, payment status, and fulfillment data
write_orders	Permission to create orders, update order status, add tags, manage fulfillments, and modify order data
read_customers	Access to customer data including contact information, purchase history, and customer metadata

Step-by-Step Guide

Step 1: Log Into Your Shopify Admin Dashboard

Navigate to https://admin.shopify.com and log in with your store credentials. Ensure your account has the necessary permissions to manage apps and integrations. If you're a staff member, confirm with your store owner that you have "App and channels" management permissions.

Step 2: Access the Apps and Integrations Section

From your admin dashboard, locate the "Apps and integrations" menu item in the left sidebar. Click on it to expand the menu and view available options. This section centralizes all your app management, custom apps, and API integrations.

Step 3: Navigate to Develop Apps

Within the Apps and Integrations section, select "Develop apps" (or "App development" depending on your admin version). This is where you'll create custom apps specifically for your store's needs. Click the "Create an app" button to begin the process.

Step 4: Name Your App and Provide Details

Enter a descriptive name for your app (e.g., "Inventory Management Tool" or "Custom Order Sync"). Add a clear description of what your app does and why you need API access. Shopify uses this information to help you remember the purpose of each token you create. You can also specify your app's purpose to help Shopify suggest appropriate scopes.

Step 5: Configure API Scopes and Credentials

After creating your app, navigate to the "Configuration" section. Here you'll define which API scopes your app needs. Carefully select only the scopes necessary for your integration to function—this follows the principle of least privilege and improves security. For example:

• If you only need to read products: select read_products
• If you need to sync orders: select read_orders and optionally write_orders
• If managing customers: select read_customers

Save your scope configuration after selecting the appropriate permissions.

Step 6: Generate Admin API Access Token

Once your scopes are configured, locate the "Admin API access tokens" section. Click the "Install app" button to generate your access token. Shopify will display your access token once and only once—make sure to copy and securely store it immediately in an environment variable or secure vault.

Step 7: Test Your Access Token

Before implementing your token in production, test it with a simple API call. Use the following curl example to verify your token works:

curl -X GET "https://your-store.myshopify.com/admin/api/2024-01/products.json" \
  -H "X-Shopify-Access-Token: your_access_token_here"

Replace "your-store" with your actual Shopify store domain and "your_access_token_here" with the token you just generated. If successful, you'll receive a JSON response containing your store's products.

Step 8: Implement Token in Your Application

Store your access token securely using environment variables or a secrets management system. Never hardcode tokens directly in your source code or commit them to version control. A secure implementation looks like:

// Node.js/JavaScript example
const accessToken = process.env.SHOPIFY_ACCESS_TOKEN;
const shopDomain = process.env.SHOPIFY_STORE_DOMAIN;

const headers = {
  'X-Shopify-Access-Token': accessToken,
  'Content-Type': 'application/json'
};

fetch(`https://${shopDomain}/admin/api/2024-01/products.json`, {
  method: 'GET',
  headers: headers
})
.then(response => response.json())
.then(data => console.log(data))

Step 9: Monitor and Rotate Tokens Regularly

Shopify's admin dashboard allows you to view when tokens were last used and rotate them if needed. For enhanced security, implement token rotation policies—generate new tokens periodically and revoke old ones. This limits the impact of a compromised token and follows security best practices.

Using GetShopifyToken (Faster Method)

While the manual process above gives you complete control, many developers prefer a faster, more streamlined approach. GetShopifyToken at https://getshopifytoken.com automates much of this process, allowing you to generate access tokens in minutes rather than navigating through multiple admin pages.

GetShopifyToken handles the configuration wizard, scope selection, and token generation automatically, providing a user-friendly interface that reduces errors and eliminates steps. This is particularly valuable if you're managing multiple Shopify stores or frequently need to create development and staging tokens.

Common Issues

• 401 Unauthorized Error: Your access token is invalid, expired, or has been revoked. Generate a new token and verify you're using the correct store domain.
• 403 Forbidden Error: Your token lacks the necessary scopes for the requested operation. Review your app's scopes in the admin dashboard and add any missing permissions.
• Token Not Appearing After Install: Refresh your browser page after clicking "Install app." If it still doesn't appear, ensure your account has sufficient permissions.
• Cannot Find Apps and Integrations Menu: This menu option is available to store owners and staff with appropriate permissions. Verify your account role with your store owner.
• Token Accidentally Exposed: Immediately revoke the exposed token in your admin dashboard and generate a new one. Exposed tokens can be exploited to access or modify your store data.
• API Calls Returning 404 Not Found: Verify your store domain is correct (e.g., "mystore.myshopify.com" not "mystore.shopify.com") and you're using the correct API version year.
• Rate Limiting (429 Too Many Requests): Shopify implements rate limiting. Implement exponential backoff in your code to handle rate limits gracefully.

Related Guides

• How to Use Shopify GraphQL API with Your Access Token
• Best Practices for Storing and Managing Shopify API Keys Securely
• Shopify REST API vs. GraphQL: Which Should You Use?

Frequently Asked Questions

Q: Can I use the same access token for multiple applications?

Technically yes, but it's not recommended. Best practice is to create separate apps and tokens for each integration or application. This allows you to monitor usage individually, revoke specific tokens without affecting others, and maintain better security by limiting token exposure across multiple systems.

Q: How long do Shopify access tokens remain valid?

Shopify access tokens don't expire automatically. They remain valid indefinitely until you explicitly revoke them or delete the app. However, Shopify recommends implementing token rotation policies—generating new tokens periodically and revoking old ones—to enhance security. If you suspect a token has been compromised, revoke it immediately.

Q: What's the difference between public and private apps for token generation?

In 2026, Shopify has unified the app development experience. All custom apps you create are private by default, meaning they only exist within your store and cannot be distributed to other merchants. Public apps distributed through the Shopify App Store use OAuth 2.0 authentication instead of static access tokens, providing better security and user control.