How to Get a Shopify Access Token for API Integration

A Shopify access token is a critical credential that allows your applications, scripts, and third-party services to interact with your Shopify store's data and functionality. Whether you're building a custom app, integrating with external platforms, or automating store operations, understanding how to find and generate a Shopify API token is essential in 2026.

This comprehensive guide walks you through the process of obtaining your Shopify access token, understanding API scopes, and implementing it securely in your integrations.

What You Need

• A Shopify store (any plan: Basic, Shopify, Advanced, or Plus)
• Admin access to your Shopify store
• Understanding of your API usage requirements
• A secure method for storing sensitive credentials (environment variables, secret managers, etc.)
• Basic knowledge of REST APIs or GraphQL (depending on your use case)
• Access to your store's backend or app management area
• A text editor or IDE for managing your token securely

Understanding Shopify Access Tokens

Before diving into the technical steps, it's important to understand what a Shopify access token actually is. An access token is a unique credential that authenticates your application to Shopify's API servers. It grants your app permission to access specific store data based on the scopes you've requested. Think of it as a digital key that unlocks specific doors to your store's information.

In 2026, Shopify continues to support both REST API tokens and GraphQL Admin API tokens. The method for obtaining these tokens varies slightly depending on which API type you're using and whether you're creating a custom app, public app, or using a third-party integration.

Required API Scopes

API scopes define what data and actions your token can access. You should only request the minimum scopes necessary for your application to function—this follows the principle of least privilege and enhances security.

Scope	What It Allows
read_products	Read access to product data including titles, descriptions, prices, and variants. Necessary for displaying or analyzing product information.
write_products	Full write access to create, update, and delete products. Required for inventory management and product modification tools.
read_orders	Read access to order information including customer details, order totals, and fulfillment status. Essential for order management apps.
write_orders	Write access to update orders, create fulfillments, and modify order attributes. Needed for order processing and fulfillment automation.
read_customers	Read access to customer profiles, contact information, and purchase history. Required for customer relationship management tools.

Step-by-Step Guide

Step 1: Log In to Your Shopify Admin Dashboard

Navigate to your Shopify store's admin dashboard at yourstore.myshopify.com/admin. Enter your email and password to log in. Ensure you're using an account with admin privileges—only store admins can create and manage API tokens.

Step 2: Navigate to Apps and Integrations

Once logged in, look for the "Apps and integrations" section in the left sidebar. This section (previously called "Apps" in earlier Shopify versions) contains all the tools for managing your store's integrations and custom apps. Click on "Apps and integrations" to proceed.

Step 3: Access the Develop Apps Section

Within the Apps and integrations area, you'll find a "Develop apps" link. Click this to access Shopify's app development tools. If this is your first time, you may need to enable app development by clicking "Create an app" or "Allow custom app creation."

Step 4: Create a New Custom App

Click the "Create an app" button to start creating a new custom application. You'll be prompted to enter an app name—use something descriptive that indicates the app's purpose (e.g., "Inventory Sync Tool" or "Order Processing Bot").

Step 5: Configure App Permissions and Scopes

After creating your app, navigate to the "Configuration" tab. Here, you'll see the "Admin API access scopes" section. This is where you specify what permissions your token will have. Select only the scopes your integration actually needs. For example:

• For a product display tool: select read_products
• For order management: select read_orders and write_orders
• For inventory management: select read_products and write_products

After selecting your scopes, click "Save" to apply the changes.

Step 6: Generate Your Access Token

Navigate to the "API credentials" tab within your custom app. Here, you'll see the "Admin API access token" section. Click the "Reveal" button next to the access token field. Your token will now be visible—it typically appears as a long string of characters.

Important: Copy this token immediately and store it in a secure location. Shopify only displays this token once. If you lose it, you'll need to rotate (regenerate) the token.

Step 7: Test Your Token with an API Call

To verify that your token works correctly, you can test it with a simple API call. Here's an example using curl to fetch your shop information:

curl -X GET "https://yourstore.myshopify.com/admin/api/2024-01/shop.json" \
  -H "X-Shopify-Access-Token: your_access_token_here"

Replace yourstore with your actual store domain and your_access_token_here with the token you just generated. If successful, you'll receive a JSON response containing your shop's information:

{
  "shop": {
    "id": 123456789,
    "name": "My Store Name",
    "email": "owner@example.com",
    "created_at": "2020-01-01T12:00:00-05:00",
    "currency": "USD",
    "customer_email": "customers@example.com",
    "timezone": "America/Chicago",
    "iana_timezone": "America/Chicago",
    "province": "IL",
    "country": "US"
  }
}

Step 8: Store Your Token Securely

Never hardcode your access token directly into your application code or commit it to version control. Instead, use environment variables or a secrets management system:

Using Environment Variables (.env file):

SHOPIFY_ACCESS_TOKEN=shppa_1234567890abcdefghijklmnopqrst
SHOPIFY_STORE_NAME=mystore
SHOPIFY_API_VERSION=2024-01

In your application code, load these from environment variables:

const accessToken = process.env.SHOPIFY_ACCESS_TOKEN;
const storeName = process.env.SHOPIFY_STORE_NAME;
const apiVersion = process.env.SHOPIFY_API_VERSION;

Using GetShopifyToken (Faster Method)

If you want to streamline the token generation process, https://getshopifytoken.com offers an automated solution that handles many of these steps for you. Rather than manually navigating through Shopify's admin dashboard and configuring permissions, GetShopifyToken guides you through a simplified workflow and can help you obtain your token more quickly.

While the manual process described above gives you complete control, GetShopifyToken is particularly useful if you need to generate tokens frequently or if you're managing multiple Shopify stores. The service automates the authentication flow and token retrieval, reducing the chance of configuration errors.

Common Issues

• Token Not Displaying: If you can't see your access token in the API credentials tab, ensure you have admin access and that the custom app has been properly created and configured.
• 401 Unauthorized Errors: This typically means your token is invalid, expired, or doesn't have the required scopes. Verify the token is correct and check that you've requested all necessary scopes for your API calls.
• Invalid Scope Errors: If you receive an error about invalid scopes, ensure you're using the correct scope names. Scope names are case-sensitive and use underscores (e.g., read_products, not readProducts).
• Rate Limiting (429 Errors): Shopify enforces API rate limits. If you exceed these limits, implement exponential backoff in your requests and optimize your API calls to be more efficient.
• Token Rotation and Expiration: In 2026, Shopify tokens don't automatically expire, but you should rotate them regularly for security. You can regenerate tokens from the API credentials tab, which will invalidate the old token.
• Missing Required Scopes: If your API calls are failing with permission errors, you likely need to request additional scopes. Return to your app configuration, add the necessary scopes, and regenerate your token.
• Wrong API Version: Ensure you're using a supported API version in your requests. Shopify deprecates older API versions, so always use recent stable versions like 2024-01 or later.

Best Practices for Token Security

Your access token is sensitive—treat it like a password. Here are essential security practices:

• Never commit tokens to version control systems (Git, GitHub, etc.)
• Use environment variables or secrets managers (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)
• Rotate tokens periodically—at least quarterly or after suspected compromise
• Use the minimum required scopes for your application
• Monitor API call logs for suspicious activity
• Restrict API access by IP address if your integration is server-based
• Use separate tokens for development, staging, and production environments

Related Guides

• How to Refresh and Rotate Your Shopify API Token
• Shopify GraphQL vs REST API: Which Should You Use?
• Building Your First Shopify Custom App in 2026

Frequently Asked Questions

Q: Can I use the same access token for multiple applications?

Technically, you can use the same token for multiple applications, but it's not recommended. Best practice is to create a separate custom app and token for each application. This way, if one token is compromised, you only need to rotate that specific token, and you can audit which application is making which API calls. Additionally, using separate tokens allows you to request only the specific scopes each application needs.

Q: How long are Shopify access tokens valid?

As of 2026, Shopify access tokens do not have an expiration date. They remain valid indefinitely until you manually revoke or rotate them. However, this means it's especially important to keep your tokens secure and to rotate them regularly (at least every 90 days) as a security best practice. If you believe a token has been compromised, revoke it immediately from the API credentials tab.

Q: What's the difference between a private app and a custom app?

In 2026, Shopify has consolidated its approach—"custom apps" is the current terminology. Private apps (the older term) have been deprecated. Custom apps are the only way to create internal integrations for your store. For selling apps in the Shopify App Store, you'd need to create a public app, which uses a different authentication flow involving OAuth 2.0.

Q: Can I have multiple access tokens for the same custom app?

No, each custom app has a single access token. If you need to rotate your token, you'll generate a new one from the API credentials tab, which automatically invalidates the previous token. If you need multiple tokens with different permissions, you should create multiple custom apps.

Q: What should I do if I accidentally expose my access token?

If your token is exposed or compromised, immediately navigate to the API credentials tab and click "Rotate" to generate a new token. This will invalidate the old token, preventing unauthorized access to your store. Then, review your API access logs to check for any suspicious activity. If you suspect malicious use, contact Shopify support for additional assistance.