How to Get a Shopify Access Token for API Integration
If you're looking to integrate your Shopify store with third-party applications, build custom apps, or automate business processes, you'll need a Shopify access token. This comprehensive guide walks you through everything you need to know about finding and generating your Shopify shop token in 2026.
A Shopify access token is a secure credential that allows applications to authenticate and interact with your Shopify store's data and functionality via the Shopify API. Whether you're a developer building a custom application, a merchant using integration tools, or an agency managing multiple stores, understanding how to find your Shopify shop token is essential for seamless API access.
What You Need
- An active Shopify store (Basic plan or higher)
- Admin access to your Shopify store
- A custom app created in your Shopify admin dashboard
- Understanding of which API scopes your integration requires
- A secure location to store your access token (password manager or secure vault)
- Basic familiarity with API authentication concepts
- Your Shopify store URL (e.g., mystore.myshopify.com)
Required API Scopes
API scopes determine what permissions your access token has. Before generating a token, you need to specify which scopes your integration requires. Here are the most common scopes used in 2026:
| Scope | What It Allows |
|---|---|
| read_products | Allows the app to read product information including titles, descriptions, prices, and inventory data from your store |
| write_products | Enables the app to create, update, and delete products in your store, including variants and collections |
| read_orders | Permits reading order details, customer information, line items, and order status without modification permissions |
| write_orders | Allows the app to create orders, modify existing orders, add fulfillments, and manage order metadata |
| read_customers | Grants access to customer data including email addresses, names, addresses, and purchase history |
Step-by-Step Guide
Follow these detailed steps to generate your Shopify access token:
Step 1: Log Into Your Shopify Admin Dashboard
Navigate to your Shopify store's admin dashboard by visiting https://admin.shopify.com or https://yourstore.myshopify.com/admin. Log in using your admin credentials. You must have admin-level access to create custom apps and generate access tokens.
Step 2: Navigate to the Apps and Integrations Section
In your Shopify admin dashboard, locate the Apps and Integrations menu. You'll typically find this in the left sidebar under Settings or directly as a main menu item. Click on "Apps and integrations" to access the app management area.
Step 3: Create a New Custom App
Within the Apps and integrations section, look for "Develop apps" or "Create an app" option. Click the button to start creating a new custom app. You'll be prompted to enter an app name—choose something descriptive that relates to your integration purpose, such as "Inventory Sync Tool" or "Order Management Integration."
Step 4: Configure Your App Settings
After naming your app, you'll need to configure the admin API credentials. In the app configuration panel:
- Click on "Configuration" or "Admin API access scopes"
- Select the specific API scopes your integration requires
- Check only the permissions you actually need (principle of least privilege)
- Save your scope selections
Step 5: Generate Your Access Token
Once your scopes are configured, you'll see an option to "Reveal" or "Generate" your access token. Click this button, and your access token will be displayed. This is a long string of characters that looks similar to:
shpat_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6Important: Copy this token immediately and store it securely. Shopify only displays the full token once—you cannot view it again after leaving this page.
Step 6: Test Your Access Token
Before using your token in production, verify it works by making a test API call. Use this curl command to test your token:
curl -X GET "https://yourstore.myshopify.com/admin/api/2024-01/shop.json" \
-H "X-Shopify-Access-Token: shpat_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"Replace yourstore with your actual store name and shpat_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6 with your actual access token. A successful response will return your shop information in JSON format. If you receive a 401 Unauthorized error, double-check that your token is correct and has the appropriate scopes.
Step 7: Store Your Token Securely
Never commit your access token to version control systems or share it publicly. Store it in:
- Environment variables (.env files)
- Secure password managers
- AWS Secrets Manager or similar services
- Your application's secure configuration system
Using GetShopifyToken (Faster Method)
If you find the manual process cumbersome or need to manage tokens across multiple stores, getshopifytoken.com offers an automated solution that streamlines access token generation. Instead of navigating through multiple admin pages and manually configuring scopes, the platform guides you through a simplified process and helps you securely retrieve and manage your Shopify tokens.
Visit https://getshopifytoken.com to learn how this tool can save you time and reduce errors when working with Shopify API authentication. It's particularly useful for agencies managing multiple client stores or developers who frequently need to generate fresh tokens.
Common Issues
- Token Not Appearing: Ensure you're logged in with an admin account. Custom app creation requires admin permissions.
- 401 Unauthorized Error: Verify your token is correct, hasn't expired, and has the required scopes for your API request.
- Lost Your Token: Unfortunately, Shopify doesn't allow viewing previously generated tokens. You'll need to regenerate a new token, which will invalidate the old one.
- Permission Denied Errors: Check that your token's scopes include the operations you're attempting. Add missing scopes and regenerate your token.
- Store Not Found: Ensure your store URL is correct and matches your actual Shopify domain (e.g., mystore.myshopify.com).
- Rate Limiting: If you're making many API calls, you may hit rate limits. Implement exponential backoff in your application to handle throttling.
- CORS Errors: Access tokens are server-side credentials and should never be used in client-side code exposed to browsers.
Related Guides
- How to Use Shopify API Webhooks for Real-Time Store Updates
- Building a Custom Shopify App: Complete Developer Guide for 2026
- Managing Multiple Shopify Store Tokens Securely Across Your Organization
Frequently Asked Questions
Q: How long does a Shopify access token last?
Shopify access tokens do not have expiration dates by default. They remain valid indefinitely until you manually revoke or regenerate them. However, it's good practice to rotate your tokens periodically (every 90-180 days) for security purposes. If you suspect a token has been compromised, you can immediately regenerate a new one from your app settings, which invalidates the old token.
Q: Can I regenerate my access token without losing API access?
Yes, but with a brief interruption. When you regenerate a token, the old token becomes invalid immediately, and you'll receive a new token. You have a few minutes to update your application configuration with the new token. To minimize downtime, regenerate tokens during off-peak hours and have a deployment process ready to quickly update your application's token.
Q: What's the difference between a private app token and a custom app token?
In 2026, Shopify has fully transitioned to custom apps for new store integrations. Private apps are legacy and no longer the recommended approach. Custom apps offer better security, granular permission controls, and more flexible scopes. If you're starting a new integration, always use custom apps to generate your access token.
Q: Can I use the same access token for multiple applications?
Technically yes, but it's not recommended. Best practices suggest creating separate custom apps for each integration, even if they serve the same store. This provides better security isolation, clearer audit trails, and makes it easier to revoke access for specific integrations without affecting others.
Q: Is it safe to store my access token in environment variables?
Environment variables are significantly safer than hardcoding tokens in your source code, but they're not perfect. For production applications, consider using dedicated secrets management systems like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault. These services provide encryption, rotation capabilities, and comprehensive audit logs.
Q: How do I know which API scopes I need for my integration?
Review the API documentation for the specific operations your integration performs. The Shopify API docs clearly specify which scopes each endpoint requires. Start with the minimum scopes necessary and add additional scopes only as needed. This follows the principle of least privilege and enhances your store's security posture.