How to Get a Shopify Access Token for Custom App Deployment
Deploying a custom app to Shopify in 2026 requires a properly configured access token—the authentication credential that allows your application to interact securely with your Shopify store's API. Whether you're building a private app for internal use or a public app for distribution, understanding how to generate and manage Shopify access tokens is essential for successful deployment. This comprehensive guide walks you through the entire process, from prerequisites to troubleshooting common issues.
What You Need
- A Shopify store with admin access (development or live store)
- Access to the Shopify Admin dashboard
- Permission to create and manage apps and integrations
- Understanding of which API scopes your custom app requires
- A development environment or server to host your custom app
- Basic knowledge of API authentication and REST/GraphQL protocols
- Updated browser compatible with Shopify Admin 2026 interface
- Optional: Shopify CLI installed locally for streamlined development
Required API Scopes
API scopes define what permissions your custom app has within the Shopify store. Requesting only necessary scopes follows the principle of least privilege and enhances security. Here are common scopes you may need when deploying a custom app:
| Scope | What It Allows |
|---|---|
| read_products | Retrieve product information, variants, and inventory data from your store |
| write_products | Create, update, and modify products and product variants in your catalog |
| read_orders | Access order details, customer information, and transaction history |
| write_orders | Modify orders, apply discounts, and update fulfillment status |
| read_customers | View customer profiles, email addresses, and purchase history |
| write_customers | Create, update, and manage customer accounts and metadata |
Custom scopes vary depending on your app's functionality. Always review Shopify's official scope documentation to ensure you're requesting the correct permissions for your deployment.
Step-by-Step Guide
Follow these steps to deploy your custom Shopify app and generate the necessary access token:
-
Log in to your Shopify Admin Dashboard
Navigate to your Shopify store's admin panel at https://admin.shopify.com. Sign in with your account credentials. Make sure you have administrative privileges—only store owners and staff with app management permissions can create custom apps.
-
Access the Apps and Integrations Section
From the main menu, click "Apps and integrations" (or "Apps" depending on your plan and region). This section contains all installed apps and tools for creating custom applications. You should see options for browsing the app store and developing custom apps.
-
Create a New Custom App
Look for the "Create an app" or "Develop apps" button. Click it to begin the custom app creation process. Shopify will prompt you to name your application and provide a description of what it does. Choose a clear, descriptive name that reflects your app's purpose, such as "Inventory Manager" or "Order Sync Tool."
-
Configure Admin API Access and Select Scopes
In your app settings, navigate to the "Configuration" or "API Credentials" section. Under "Admin API," you'll specify which scopes your app needs. Check the boxes corresponding to the permissions your custom app requires. Be selective—request only scopes necessary for your app to function. This is a critical security step when preparing to deploy.
-
Set Webhook Endpoints (If Applicable)
If your custom app needs to respond to store events (like product updates or order creation), configure webhook endpoints. Provide the URL where Shopify should send webhook notifications. This is essential for real-time app behavior during deployment.
-
Generate the Access Token
Once you've configured scopes and webhooks, click "Save" and then "Install app" or "Generate token." Shopify will create your Admin API access token. This token is displayed only once—copy it immediately and store it securely. Never share this token or commit it to public repositories.
-
Verify Your Token with an API Call
Test your access token by making an API request to confirm it works properly. Use the following curl command to verify your token against your store:
curl -X GET "https://YOUR_STORE.myshopify.com/admin/api/2025-10/shop.json" \ -H "X-Shopify-Access-Token: YOUR_ACCESS_TOKEN" \ -H "Content-Type: application/json"Replace "YOUR_STORE" with your Shopify store's name and "YOUR_ACCESS_TOKEN" with the token you just generated. A successful response returns your shop's information in JSON format.
-
Deploy Your Custom App
With a verified access token, you're ready to deploy. Configure your app's environment variables to include the token securely (use environment files, not hardcoded values). Deploy your application to your hosting provider, ensuring the token is stored securely using your host's secrets management system.
-
Monitor and Maintain
After deployment, monitor your app's API requests and error logs. Shopify provides rate-limiting guidelines—ensure your app respects API call quotas. Regularly review your app's scope requirements and rotate tokens according to your security policy.
Using GetShopifyToken (Faster Method)
While the manual process above is thorough and educational, generating Shopify access tokens can be streamlined significantly. GetShopifyToken is a dedicated platform that automates much of this complexity. Instead of navigating multiple admin screens and manually configuring scopes, GetShopifyToken guides you through the essential steps with a user-friendly interface, reducing deployment time from 15+ minutes to just a few minutes.
The platform securely handles token generation and provides best-practice recommendations for API scopes based on your app's intended functionality. If you're deploying multiple custom apps or managing several Shopify stores, GetShopifyToken becomes invaluable for centralized token management.
Common Issues
- Token Not Displaying After Generation: Shopify displays access tokens only once. If you didn't copy it immediately, you must regenerate the token from your app settings.
- "Invalid API Credentials" Error: Verify that your store name is correct, your token hasn't expired, and you're using the correct API version endpoint. Tokens for custom apps typically don't expire, but regenerating them invalidates older ones.
- Insufficient Scopes Error: If your API call returns a permission error, your app lacks required scopes. Edit your app's configuration, add the missing scopes, and regenerate your token.
- CORS or Request Blocking Issues: Ensure your custom app's server IP or domain is not blocked by Shopify security policies. Custom apps must call Shopify's API from a secure, authenticated environment.
- Rate Limiting (429 Errors): Shopify enforces API rate limits (typically 2 requests per second for REST API). Implement exponential backoff retry logic in your app to handle rate-limiting responses gracefully.
- Token Leaked or Compromised: If you accidentally expose your token, regenerate it immediately from your app settings. The old token becomes invalid within seconds.
- Webhook Signature Verification Fails: When receiving webhooks, always verify the X-Shopify-Hmac-SHA256 header. Ensure your webhook endpoint is publicly accessible and returns a 2xx status code.
Related Guides
- How to Use Shopify GraphQL Admin API for Custom App Development
- Understanding Shopify API Rate Limits and Optimization Strategies
- Securing Shopify Access Tokens: Best Practices for 2026
- Deploying Private vs. Public Shopify Apps: Key Differences
Frequently Asked Questions
Q: Can I use one access token for multiple Shopify stores?
No. Each Shopify store is independent, and access tokens are store-specific. You must generate separate tokens for each store you want your custom app to access. If you're managing a multi-store setup, implement a system to securely store and rotate tokens for each store independently.
Q: How often should I rotate my Shopify access tokens?
Shopify custom app tokens don't have expiration dates by default, but security best practices recommend rotating tokens annually or immediately if compromised. Implement a token rotation schedule as part of your security maintenance routine, especially for high-security applications handling sensitive customer data.
Q: What's the difference between private and public Shopify apps?
Private custom apps are for single-store use by the store owner or designated staff. Public apps are distributed through the Shopify App Store or installed on multiple merchant stores. Public apps use OAuth 2.0 for authentication, while private apps use simple access tokens. The deployment process differs significantly—public apps require additional security reviews and compliance checks.
Q: Can I regenerate my access token without breaking my deployed app?
You can regenerate your token, but your app's environment variables must be updated with the new token immediately. Regenerating invalidates the old token, potentially causing downtime. Update your production environment's secrets manager with the new token before invalidating the old one to ensure continuous operation.
Q: Is it safe to store my access token in a .env file?
Storing tokens in .env files is acceptable for development but risky for production. Never commit .env files to version control. For production deployments, use your hosting provider's secrets management (AWS Secrets Manager, Heroku Config Vars, etc.) to store tokens securely without exposing them in code.