How to Get a Shopify Access Token for App Development

A Shopify access token is essential for developers who want to build custom apps, integrate third-party services, or automate store operations. Whether you're creating a private app for your own store or a public app for the Shopify App Store, understanding how to find and generate a Shopify admin token is crucial. This comprehensive guide walks you through the entire process, covering everything from prerequisites to troubleshooting common issues.

In 2026, Shopify's authentication system has evolved to prioritize security and ease of use. The process of obtaining an access token is straightforward but requires attention to detail. By following this guide, you'll have a working token in minutes and be ready to start building.

What You Need

• An active Shopify store (development or live store)
• Admin access to your Shopify store
• A plan that supports custom app development (most plans do, including Shopify Plus)
• Basic understanding of APIs and authentication concepts
• Access to your store's settings and admin panel
• A secure method to store and manage tokens (password manager or secure vault)
• Optional: A REST client like Postman for testing API calls

Required API Scopes

API scopes define what permissions your access token has. When creating a token, you'll need to select scopes based on your app's functionality. Here are the most common scopes you'll encounter:

Scope	What It Allows
read_products	Read product data, collections, and inventory information from the store
write_products	Create, update, and delete products and related data
read_orders	Access order information, customer data, and transaction history
write_orders	Create, update, and fulfill orders programmatically
read_customers	Retrieve customer information, addresses, and contact details

When selecting scopes, follow the principle of least privilege—only request permissions your app actually needs. This improves security and builds trust with store owners who may use your app.

Step-by-Step Guide

Follow these detailed steps to generate your Shopify admin token:

Step 1: Log Into Your Shopify Admin

Navigate to your Shopify admin dashboard at yourstore.myshopify.com/admin. Log in with your credentials. Ensure you have admin-level permissions—store owners and designated administrators can create access tokens, but staff members may not have this capability.

Step 2: Access the Apps and Integrations Section

In the admin sidebar, scroll down to find "Apps and integrations" (location may vary slightly depending on your Shopify version). Click on it to expand the menu. You should see options including "Apps and sales channels," "Develop apps," or similar options.

Step 3: Navigate to App Settings or Custom Apps

Look for "Develop apps" or "App settings" depending on whether you're creating a custom app or setting up an existing app. For custom app development, click "Develop apps" or "Create an app." You may need to enable custom app development if you haven't already—follow the on-screen prompts to do so.

Step 4: Create or Select Your App

If you don't have an existing app, click "Create an app." Enter a name for your app (something descriptive like "Inventory Manager" or "Order Automation Tool"). If you already have an app created, simply select it from the list.

Step 5: Configure API Credentials

Once you've selected or created an app, navigate to the "Configuration" or "API Credentials" section. This is where you'll see options to generate your access token. Look for a section labeled "Admin API access tokens" or similar.

Step 6: Select Required Scopes

Before generating the token, you must select the API scopes your app needs. Click "Add more scopes" or "Edit scopes" and check the boxes for the permissions your application requires. Common scopes include:

• read_products – to view product information
• write_products – to modify products
• read_orders – to access order data
• read_customers – to view customer information

After selecting scopes, save your changes.

Step 7: Generate the Access Token

Look for a button labeled "Generate token" or "Create access token." Click it. Shopify will generate a unique token for your app. This token will only be displayed once, so copy it immediately and store it securely. Do not share this token with anyone or commit it to public repositories.

Step 8: Store Your Token Securely

Save your access token in a secure location. Best practices include:

• Using environment variables (e.g., in a .env file for local development)
• Storing it in a password manager
• Using a secrets management service for production apps
• Never hardcoding tokens directly in your source code

Step 9: Test Your Token

Verify that your token works by making a test API call. Here's an example using curl:

curl -X GET "https://yourstore.myshopify.com/admin/api/2024-01/products.json" \
  -H "X-Shopify-Access-Token: shpat_abcdef123456789" \
  -H "Content-Type: application/json"

Replace:

• yourstore with your actual Shopify store name
• shpat_abcdef123456789 with your actual access token
• 2024-01 with the current API version (check Shopify's documentation for the latest version)

A successful response will return JSON data with your store's products. If you receive an authentication error, double-check that your token is correct and that you've selected the appropriate scopes.

Using GetShopifyToken (Faster Method)

If you want to streamline the process of obtaining and managing Shopify access tokens, consider using getshopifytoken.com. This platform automates much of the token generation process, providing a user-friendly interface that guides you through each step. Instead of navigating Shopify's admin manually, you can use GetShopifyToken to generate, store, and manage multiple tokens for different apps and stores—all in one place.

Visit https://getshopifytoken.com to learn more about how they can accelerate your development workflow. Many developers and agencies use GetShopifyToken to reduce setup time and improve token security management.

Common Issues

• Token Not Displaying: If you don't see your token after generation, check that you're in the correct app's configuration section. Tokens only display once, so if you missed it, you'll need to regenerate a new one. The old token will be automatically invalidated.
• Authentication Errors: Ensure your token is spelled correctly and hasn't expired. Also verify that your API call includes the correct header format: X-Shopify-Access-Token: your_token_here.
• Insufficient Permissions: If your API calls fail with permission errors, check that you've selected the appropriate scopes. You may need to add additional scopes and regenerate the token.
• Custom App Development Not Enabled: Some Shopify plans or stores may have custom app development disabled. Contact Shopify Support if you can't find the "Develop apps" option.
• Token Accidentally Shared: If you've exposed your token publicly, regenerate it immediately. The old token will be invalidated, and a new one will be created.
• API Version Mismatch: Make sure you're using a current API version in your requests. Shopify regularly updates API versions, and older versions may be deprecated.
• Store Not Meeting Requirements: Development stores and trial stores have limitations on which apps and integrations are available. Verify your store plan supports custom app development.

Related Guides

• How to Use Shopify REST API for Inventory Management
• Complete Guide to Shopify GraphQL API Authentication
• Setting Up OAuth for Public Shopify Apps
• Best Practices for Managing Multiple Shopify Access Tokens

Frequently Asked Questions

Q: Can I regenerate my Shopify access token?

Yes, you can regenerate your token at any time by returning to the app's configuration section and clicking "Regenerate" or "Create new token." The old token will be invalidated immediately, so ensure all applications using the old token are updated with the new one before regenerating. This is a good security practice if you suspect your token has been compromised.

Q: How long do Shopify access tokens last?

Shopify access tokens do not expire automatically. They remain valid indefinitely until you regenerate or revoke them manually. However, if a store is deleted or your app is uninstalled, all associated tokens become invalid. This is different from OAuth tokens, which may have expiration periods.

Q: What's the difference between a private app token and a public app token?

Private app tokens are for custom apps that you install on your own store or a limited number of stores. Public app tokens use OAuth 2.0 and are for apps distributed on the Shopify App Store. Public apps don't store permanent tokens; instead, they request authorization from store owners and receive access tokens after the user approves the requested scopes. For most custom development, you'll be working with private app tokens.

Q: Is it safe to use the same token across multiple applications?

It's generally not recommended. Best practice is to create a separate token for each application or integration. This way, if one token is compromised, the others remain secure. Additionally, using separate tokens allows you to grant different permissions to different applications, following the principle of least privilege.

Q: What should I do if I accidentally commit my token to GitHub?

Immediately regenerate your token in the Shopify admin to invalidate the exposed one. Check your GitHub history and consider using git-secrets or similar tools to prevent this in the future. Then, generate a new token and update your code. GitHub also scans for exposed Shopify tokens and may notify you automatically.