Published April 18, 2026 Updated April 18, 2026 howto

How to Get a Shopify Access Token for Custom Orders

Custom orders on Shopify allow merchants to create one-off or personalized products for customers outside of your standard catalog. Whether you're managing bespoke items, bulk orders, or special requests, implementing custom orders requires programmatic access to your Shopify store. The gateway to this capability is a Shopify access token—a secure credential that authenticates API requests and grants your applications permission to interact with your store's data.

In 2026, Shopify's API ecosystem continues to evolve with enhanced security protocols and streamlined token management. This comprehensive guide walks you through obtaining a Shopify access token specifically for managing custom orders, whether you're building a custom order management app, integrating with third-party fulfillment systems, or automating order creation workflows.

What You Need

An active Shopify store (any plan level from Basic to Enterprise)
Admin access to your Shopify store dashboard
A custom app created within your Shopify admin panel
Basic understanding of API authentication and REST/GraphQL concepts
A development environment or terminal to test API calls
SSL/TLS support for secure HTTPS connections
A callback URL or webhook endpoint (if implementing OAuth flow)
Familiarity with your store's API version requirements

Required API Scopes

Scopes define what permissions your access token has. For custom orders functionality, you'll need specific scopes that allow reading, creating, and modifying orders. Here are the essential scopes required:

Scope	What It Allows
`write_orders`	Create, update, and cancel orders programmatically. Essential for custom order creation and modifications.
`read_orders`	Retrieve order data, including custom order history, status, and details. Necessary for tracking and validation.
`write_products`	Create and modify products for custom items. Useful if custom orders involve temporary product variants.
`read_products`	Access product information to validate inventory and variant availability for custom orders.
`write_draft_orders`	Create and manage draft orders, which are perfect for custom orders before final conversion to actual orders.

Step-by-Step Guide

Follow these steps to obtain your Shopify access token for custom orders:

Step 1: Log Into Your Shopify Admin

Navigate to your Shopify admin dashboard at https://admin.shopify.com. Sign in with your store credentials. Ensure you have admin-level permissions to create custom applications.

Step 2: Create a Custom App

In your Shopify admin, locate the "Settings" option in the left sidebar. Click on "Apps and integrations" (previously labeled "Apps"), then select "Develop apps." If you're creating your first app, you may need to accept Shopify's developer agreement.

Click the "Create an app" button and choose "Custom app" from the available options. This opens the custom app creation interface.

Step 3: Configure App Permissions

Enter a name for your custom app—something descriptive like "Custom Order Manager" works well. Next, navigate to the "Configuration" section and locate "Admin API access scopes."

Select the following scopes by checking their corresponding boxes:

write_orders
read_orders
write_products
read_products
write_draft_orders
read_draft_orders

These scopes grant your token the permissions necessary to create, read, and manage custom orders through the Shopify API.

Step 4: Save and Install the App

After selecting your desired scopes, click "Save" at the top right of the page. Shopify will prompt you to confirm the permissions. Review the selected scopes and click "Install app" to proceed.

Step 5: Retrieve Your Access Token

Once installed, you'll be directed to the app's detail page. Scroll to the "Admin API access token" section. You'll see your access token displayed—this is a long string of characters that authenticates your API requests.

Important Security Note: Copy and store this token in a secure location immediately. Shopify only displays it once. If you lose it, you'll need to regenerate a new token. Never share your access token or commit it to public repositories.

Step 6: Test Your Token with an API Call

Verify your token works by making a test API request. Open your terminal or API client and execute the following curl command:

curl -X POST https://your-store.myshopify.com/admin/api/2026-01/graphql.json \
  -H "X-Shopify-Access-Token: your_access_token_here" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "{ shop { name orders(first: 1) { edges { node { id } } } } }"
  }'

Replace your-store with your actual Shopify store name and your_access_token_here with your newly generated token. A successful response confirms your token is valid and properly scoped.

Step 7: Create a Custom Order Using Your Token

With a verified token, you can now create custom orders. Here's an example GraphQL mutation to create a draft order (draft orders are ideal for custom items before final conversion):

curl -X POST https://your-store.myshopify.com/admin/api/2026-01/graphql.json \
  -H "X-Shopify-Access-Token: your_access_token_here" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "mutation { draftOrderCreate(input: { lineItems: [{ title: \"Custom Product\", quantity: 1, customAttributes: [{key: \"Customization\", value: \"Engraved Name\"}] }], email: \"customer@example.com\" }) { draftOrder { id status } userErrors { field message } } }"
  }'

This mutation creates a draft order with a custom product line item. Once you confirm the draft order is correct, convert it to a finalized order through your Shopify admin or programmatically.

Using GetShopifyToken (Faster Method)

While the manual process outlined above is secure and gives you complete control, manually navigating Shopify's admin interface can be time-consuming, especially if you manage multiple stores or frequently regenerate tokens.

A faster alternative is to use GetShopifyToken, an automated token generation service that streamlines the process. This platform simplifies token creation by automating several steps, reducing the chance of configuration errors and saving you valuable time. GetShopifyToken handles scope verification and token retrieval through an intuitive interface designed specifically for developers and Shopify merchants managing custom orders at scale.

Common Issues

401 Unauthorized Error: Your access token is invalid, expired, or incorrectly formatted. Verify the token is copied exactly as displayed and hasn't been truncated. Regenerate a new token if necessary.
Insufficient Permissions (403 Forbidden): The scopes assigned to your token don't include the required permissions. Re-check your custom app configuration and ensure write_orders and related scopes are enabled.
Token Lost or Compromised: If you didn't save your token and the page closed, you'll need to regenerate it. Click "Regenerate token" in your app settings. For security compromises, immediately regenerate and rotate the token across all applications using it.
API Rate Limiting: Shopify limits API calls. If you're creating numerous custom orders rapidly, you may hit rate limits. Implement exponential backoff in your code to handle 429 responses gracefully.
Webhook Registration Failures: If you're using webhooks to track custom order events, ensure your webhook endpoint URL is publicly accessible and correctly formatted. Test webhook delivery using Shopify's webhook simulator in your custom app settings.
Draft Order Conversion Issues: Draft orders sometimes fail to convert to actual orders if customer information is incomplete. Always validate email addresses, payment methods, and shipping details before conversion.

Related Guides

How to Use the Shopify GraphQL API for Advanced Queries
Setting Up Shopify Webhooks for Custom Order Events
Managing Draft Orders Programmatically with the Shopify API

Frequently Asked Questions

Q: How long does a Shopify access token remain valid?

A Shopify access token remains valid indefinitely until you manually revoke or regenerate it. There is no automatic expiration date. However, for security best practices, consider regenerating tokens periodically (e.g., annually) and immediately if you suspect a compromise.

Q: Can I use the same access token across multiple applications or stores?

No. Each Shopify store requires its own access token generated from its own custom app. Tokens are store-specific and cannot be transferred. If you manage multiple Shopify stores, you'll need to create separate custom apps and tokens for each store.

Q: What's the difference between REST API and GraphQL for custom orders?

Both REST and GraphQL APIs support custom order creation. GraphQL is generally preferred for custom orders because it allows you to request only the data you need, reducing payload size and improving performance. REST is more straightforward for simple operations. Choose based on your application's complexity and your team's preference.

Q: Do I need to regenerate my token if I add new scopes?

Yes. After modifying scopes for a custom app, the existing token becomes invalid. You must regenerate a new token from the app configuration page, which will include the newly added scopes.

Get Your Shopify Access Token in 60 Seconds

Skip the manual OAuth flow. GetShopifyToken automates the entire process — just paste your credentials and get your token instantly.

Generate Token Now →