How to Get a Shopify Access Token for API Integration
A Shopify access token is a critical piece of authentication that allows third-party applications and custom scripts to interact with your Shopify store's data and functionality. Whether you're building a custom app, integrating with external tools, or automating store operations, understanding how to find your Shopify token is essential. This comprehensive guide walks you through every step of the process in 2026.
Access tokens serve as digital keys that grant permission to perform specific actions on your Shopify store without exposing your main password. They're the backbone of secure API communication and are required for nearly all programmatic interactions with your store's backend.
What You Need
- A Shopify store with admin access (Partner account or store owner)
- Your Shopify store URL (e.g., yourstore.myshopify.com)
- Access to the Shopify Admin dashboard
- Basic understanding of API authentication concepts
- A text editor or secure password manager to store your token
- Two-factor authentication enabled on your account (recommended)
- Knowledge of which API scopes your integration requires
Required API Scopes
Before generating your access token, you need to specify which scopes your application requires. Scopes determine what actions your token can perform. Here are the most common scopes used in 2026:
| Scope | What It Allows |
|---|---|
| read_products | Read product information, variants, images, and inventory data from your store |
| write_products | Create, modify, and delete products and variants in your store |
| read_orders | Access order details, customer information, and transaction history |
| write_orders | Create and modify orders, including fulfillment and payment status |
| read_customers | Retrieve customer profiles, addresses, and account information |
| write_customers | Create, update, and delete customer accounts and their details |
Step-by-Step Guide
Step 1: Log Into Your Shopify Admin Dashboard
Navigate to your Shopify admin panel by going to yourstore.myshopify.com/admin. Log in with your admin credentials. If you're using a Partner account, you may need to access the store through the Partner dashboard first.
Step 2: Navigate to Apps and Integrations
In the Shopify Admin, look for the "Apps and integrations" section in the left sidebar. This section contains all tools for managing API access, custom apps, and third-party integrations. Click on "Apps and integrations" to expand the menu.
Step 3: Access the App Settings
Within Apps and integrations, select "App and integration settings." This page shows you all installed apps and allows you to create new custom apps. This is where you'll generate your access token for private apps and custom integrations.
Step 4: Create a Custom App
Click the "Create an app" button. You'll be prompted to enter an app name (e.g., "Inventory Sync Tool" or "Email Integration"). Choose a descriptive name that indicates what the app will do. This helps you identify the purpose of the token later.
Select the appropriate app type. For most integrations, you'll want "Custom app" which is designed for private, internal integrations rather than public applications.
Step 5: Configure Admin API Scopes
Once your app is created, navigate to the "Configuration" tab. Under "Admin API scopes," you'll see a list of all available permissions. Select only the scopes your integration requires. Follow the principle of least privilege—only grant permissions necessary for your specific use case.
For example, if you're building an inventory synchronization tool, you might only need read_products and write_inventory scopes. For a customer data integration, you'd select read_customers and potentially write_customers.
Step 6: Save and Install Your App
After selecting your scopes, scroll to the top of the Configuration page and click "Save app." Shopify will register your app with the selected permissions. You'll then need to click "Install app" to activate it on your store.
Step 7: Retrieve Your Access Token
After installation, you'll be redirected to your app's overview page. Look for the "Admin API access token" section. Your access token will be displayed here—it's a long string of characters that looks something like: shpat_1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p.
Important: Copy this token and store it securely immediately. Shopify will not display it again after you leave this page. If you lose it, you'll need to regenerate a new one.
Step 8: Test Your Token with an API Call
Verify your token works correctly by making a test API call. Here's an example using cURL to retrieve your shop information:
curl -X GET "https://yourstore.myshopify.com/admin/api/2024-01/shop.json" \
-H "X-Shopify-Access-Token: shpat_1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p" \
-H "Content-Type: application/json"Replace yourstore with your actual store name and shpat_1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p with your real access token. If successful, you'll receive a JSON response containing your shop details, confirming the token is active and properly configured.
Step 9: Implement the Token in Your Application
Store your access token securely in your application's environment variables, not in hardcoded strings. In Node.js, for example:
const shopifyAccessToken = process.env.SHOPIFY_ACCESS_TOKEN;
const shopName = 'yourstore.myshopify.com';
async function getProductData() {
const response = await fetch(`https://${shopName}/admin/api/2024-01/products.json`, {
method: 'GET',
headers: {
'X-Shopify-Access-Token': shopifyAccessToken,
'Content-Type': 'application/json'
}
});
return response.json();
}
Step 10: Secure Your Token
Never commit your access token to version control systems like Git. Use environment files (.env) that are excluded from your repository. Implement token rotation policies—regenerate tokens periodically and revoke old ones to minimize security risks if a token is compromised.
Using GetShopifyToken (Faster Method)
If you want to streamline the process of obtaining and managing Shopify access tokens, visit https://getshopifytoken.com. This platform automates much of the manual work involved in token generation and provides a user-friendly interface for managing multiple tokens across different stores.
GetShopifyToken handles the OAuth flow automatically, securely stores your tokens, and provides clear documentation for integrating them into your applications. For developers managing multiple Shopify stores or building complex integrations, this service significantly reduces setup time and eliminates manual configuration errors.
Common Issues
- Token Not Displaying After App Installation: Refresh your browser or log out and log back into the admin panel. Sometimes the token appears on a subsequent page load.
- "Insufficient Permissions" API Errors: Verify that your app has the required scopes for the endpoints you're calling. You may need to add additional scopes and reinstall the app.
- 401 Unauthorized Responses: This typically means your token is invalid, expired, or incorrectly formatted in your API headers. Double-check for typos or extra spaces.
- Lost or Forgotten Token: If you lose your token before saving it, you cannot retrieve it. You must generate a new one by reinstalling the app, which revokes the old token.
- Token Not Working in Postman or API Clients: Ensure you're adding the header exactly as specified:
X-Shopify-Access-Token: [your_token]with proper formatting. - Scope Changes Not Taking Effect: Always reinstall your app after modifying scopes. Simply saving new scopes isn't enough—reinstallation is required for changes to activate.
- Rate Limiting Errors (429 Status): Your requests are exceeding Shopify's API rate limits. Implement exponential backoff retry logic and reduce request frequency.
- Store URL Format Errors: Ensure you're using the complete myshopify.com domain, not custom domains, when making API calls with your access token.
Related Guides
- Understanding Shopify OAuth and Custom Apps
- Building a Shopify App: Complete Developer Guide for 2026
- Shopify GraphQL Admin API vs REST API: Which Should You Use?
- Securing Your Shopify API Tokens: Best Practices and Common Mistakes
Frequently Asked Questions
Q: What's the difference between a custom app token and a public app token?
Custom app tokens are generated for private integrations specific to your store and are stored in your admin. Public app tokens are used when building apps for the Shopify App Store and require OAuth authentication. Custom app tokens are simpler for direct store-to-service integrations, while public app tokens follow a more complex but secure OAuth flow suitable for distributing apps to multiple merchants.
Q: Can I have multiple access tokens for the same Shopify store?
Yes, absolutely. You can create multiple custom apps, each with its own access token and specific scope configuration. This is actually recommended for security—use different tokens for different integrations so that if one token is compromised, you only need to regenerate that specific token rather than affecting all your integrations.
Q: How often should I regenerate my Shopify access token?
There's no mandatory rotation period set by Shopify, but security best practices recommend regenerating tokens every 90 days for high-security applications. For production integrations handling sensitive data like customer information or payment processing, quarterly rotation is standard. You should immediately regenerate a token if you suspect it's been exposed or compromised.
Q: Is it safe to use my access token in client-side JavaScript?
No. Never expose your access token in client-side code, including JavaScript running in browsers. Your token should only exist on secure backend servers. If client-side applications need to access Shopify data, implement a proxy server that handles authentication or use Shopify's Storefront API, which is designed for public, client-side access.
Q: What API version should I use with my access token?
Shopify supports multiple API versions for backward compatibility. In 2026, use the most recent stable version available (typically labeled as the current year version like 2024-01 or 2025-01). Check the Shopify Developer documentation for the latest recommended version. Using current versions ensures you have access to the newest features and security improvements.