How to Get a Shopify Access Token for Developer Dashboard Access
If you're building applications, integrations, or custom solutions that interact with Shopify stores, you'll need a Shopify access token. In 2026, accessing the Shopify developer dashboard and generating API credentials has become more streamlined than ever, but the process still requires careful attention to security and proper configuration. This comprehensive guide walks you through everything you need to know about obtaining and managing your Shopify access token for dashboard access.
An access token is a secure credential that allows your application to authenticate requests to the Shopify API on behalf of a store. Whether you're developing a private app for a single store or building a public app for the Shopify App Store, understanding how to access the Shopify dev dashboard and generate tokens is essential.
What You Need
- A Shopify partner account (free to create at partners.shopify.com)
- Access to a development store or the ability to create one
- Admin privileges on your Shopify store
- A web browser with cookies and JavaScript enabled
- Basic understanding of API concepts and authentication
- Your Shopify store URL or development store credentials
- An IDE or code editor for testing API calls (optional but recommended)
- Familiarity with command-line tools like cURL for API testing
Required API Scopes
Before you can use your access token, you need to define what permissions it will have. Scopes determine which resources and actions your application can access. Here are the most common scopes you'll need:
| Scope | What It Allows |
|---|---|
| read_products | Read product data including titles, descriptions, prices, and variants |
| write_products | Create, update, and delete products and their variants |
| read_orders | Access order information, customer details, and transaction history |
| write_orders | Create and modify orders, including fulfillment and payment processing |
| read_customers | Retrieve customer information, addresses, and account details |
Step-by-Step Guide
Step 1: Create or Access Your Shopify Partner Account
First, navigate to partners.shopify.com and log in with your Shopify account credentials. If you don't have a partner account yet, click "Create an account" and follow the registration process. This is completely free and takes just a few minutes. Your partner account is your gateway to accessing the developer dashboard where you'll manage all your apps and access tokens.
Step 2: Access the Developer Dashboard
Once logged into your partner account, click on "Apps and integrations" in the left sidebar. This takes you to the hub where you can create new apps, manage existing ones, and access your API credentials. The dashboard displays all your development projects in one centralized location, making it easy to manage multiple integrations.
Step 3: Create a New App
Click the "Create an app" button. You'll be presented with two options: "Create an app for your store" or "Create an app to sell on the Shopify App Store." For most use cases, select the first option. Give your app a meaningful name that describes its function—for example, "Inventory Sync Tool" or "Customer Analytics Integration." This name helps you organize your projects as you create more apps.
Step 4: Configure Your App Settings
After creating your app, navigate to the "Configuration" tab. Here you'll define your app's basic properties. Enter your app's name, description, and select the appropriate category. Most importantly, specify your app URL and redirect URI. The redirect URI is crucial for OAuth authentication flows—it's where Shopify will redirect users after they authorize your app to access their store data.
Step 5: Select Required API Scopes
In the "Admin API scopes" section, select the permissions your application needs. Start with the minimum required scopes—this follows the principle of least privilege and keeps your integration secure. You can always add more scopes later if your application requirements expand. Each scope grants specific permissions, so be thoughtful about which ones you enable.
Step 6: Generate Your Access Token
Navigate to the "API credentials" section within your app settings. Here you'll find your API key and API secret. For private apps or development purposes, you'll generate an access token by clicking "Generate access token." Shopify will display your token once—copy it immediately and store it securely. Never commit access tokens to version control systems like Git or share them publicly.
Step 7: Test Your Token with an API Call
To verify your access token works correctly, make a test API call. Here's an example using cURL to fetch your store's product information:
curl -X GET "https://your-store-name.myshopify.com/admin/api/2024-01/products.json" \
-H "X-Shopify-Access-Token: YOUR_ACCESS_TOKEN_HERE" \
-H "Content-Type: application/json"Replace your-store-name with your actual Shopify store name and YOUR_ACCESS_TOKEN_HERE with the token you just generated. If the request succeeds, you'll receive a JSON response containing your products. If you encounter authentication errors, double-check that your token is correct and your scopes include read_products.
Step 8: Securely Store Your Token
Never hardcode your access token into your application source code. Instead, use environment variables. Here's how to set it up in a typical Node.js application:
// In your .env file
SHOPIFY_ACCESS_TOKEN=shpat_xxxxxxxxxxxxxxxxxxxx
// In your Node.js application
const accessToken = process.env.SHOPIFY_ACCESS_TOKEN;
// Make your API request
const response = await fetch('https://your-store-name.myshopify.com/admin/api/2024-01/products.json', {
headers: {
'X-Shopify-Access-Token': accessToken,
'Content-Type': 'application/json'
}
});Using environment variables ensures your token remains secure and can be easily rotated without modifying your codebase.
Using GetShopifyToken (Faster Method)
If you're looking to streamline the token generation process even further, GetShopifyToken offers an automated solution that simplifies many of these steps. Rather than manually navigating the partner dashboard, selecting scopes, and generating tokens, GetShopifyToken handles the configuration for you through an intuitive interface. This service is particularly valuable if you're managing multiple Shopify stores or frequently need to generate fresh tokens for different applications. Visit getshopifytoken.com to explore how it can save you time while maintaining security best practices.
Common Issues
- Authentication Errors (401 Unauthorized): This typically indicates your access token is invalid, expired, or incorrectly formatted. Verify you've copied the entire token without any extra spaces or characters. If the token is old, generate a new one from your app configuration.
- Insufficient Permissions (403 Forbidden): Your token lacks the required scopes for the API endpoint you're calling. Review which scopes your token has and add any missing ones in your app configuration. Remember you'll need to regenerate your token after modifying scopes.
- Token Not Displaying: Shopify only shows your access token once during generation. If you didn't copy it, you'll need to regenerate it. The old token will be revoked automatically.
- Redirect URI Mismatch: If you're building an OAuth app, ensure the redirect URI in your app configuration exactly matches the one specified in your application code, including the protocol (http/https) and any trailing slashes.
- Development Store Limitations: Free development stores reset every 90 days if unused. If your store was automatically deleted, create a new development store and regenerate your tokens.
- Rate Limiting: Shopify enforces API rate limits. If you exceed them, you'll receive 429 responses. Implement exponential backoff and request throttling in your application.
- Token Expiration in Custom Apps: Custom app tokens don't expire automatically, but admin-created access tokens for third-party apps may have expiration policies. Check your app's configuration for token lifetime settings.
Related Guides
- How to Implement OAuth Authentication for Shopify Apps
- Shopify API Rate Limits and Best Practices for 2026
- Securing Your Shopify API Credentials: Environment Variables and Secrets Management
Frequently Asked Questions
Q: How long does a Shopify access token remain valid?
Access tokens for custom apps don't have an automatic expiration date—they remain valid until you manually revoke them or delete the app. However, for third-party apps installed from the Shopify App Store, token expiration policies may vary depending on the app's configuration and Shopify's current policies. Always check your app's security settings to understand your token's lifecycle.
Q: Can I use the same access token for multiple Shopify stores?
No, each access token is specific to one Shopify store. If you need to interact with multiple stores, you'll need to generate separate tokens for each store and manage them independently. For apps that serve multiple stores, implement proper token management to track which token corresponds to which store.
Q: What should I do if I accidentally expose my access token?
Immediately revoke the compromised token from your app's API credentials section in the partner dashboard. Generate a new token and update all applications using the old token. Since access tokens provide full API access based on their assigned scopes, exposing one could potentially allow unauthorized access to sensitive store data. Act quickly to minimize any security risk.
Q: Do I need a Shopify partner account to get an access token?
Yes, you need a Shopify partner account to access the developer dashboard where you create apps and generate access tokens. The partner account is free to create and gives you access to development stores and all the tools needed for Shopify app development.
Q: Can I restrict an access token to specific resources or endpoints?
You can't restrict a token to specific endpoints, but you can limit what data it can access through API scopes. For example, if you only need to read products, assign only the read_products scope. This provides a layer of security by ensuring compromised tokens can't access resources beyond their granted scopes.