How to Get a Shopify Access Token for API Integration

Generating a Shopify API key and access token is essential for developers and store owners who want to integrate third-party applications, automate workflows, or build custom solutions for their Shopify store. Whether you're managing inventory, syncing data, or creating a custom app, understanding how to generate a Shopify API key is the first step toward unlocking powerful automation capabilities.

In 2026, Shopify's authentication system has evolved to prioritize security and ease of use. This comprehensive guide walks you through the exact process of generating your Shopify access token, including all prerequisites, required scopes, and troubleshooting tips.

What You Need

• A Shopify store (any plan—Basic, Shopify, Advanced, or Plus)
• Admin access to your Shopify store
• Access to the Shopify Admin dashboard or API section
• A clear understanding of which API scopes your app requires
• Either Shopify CLI installed on your machine or access to your store's admin panel
• Basic knowledge of API authentication and REST/GraphQL protocols
• A development environment (local machine or web server) if building a custom app

Required API Scopes

API scopes determine what permissions your access token has. Before generating your token, identify which scopes you need based on your use case:

Scope	What It Allows
write_products	Create, update, and delete products and their variants in your store
read_orders	Access order data, customer information, and transaction history
write_orders	Create, modify, and manage orders, fulfillments, and refunds
read_inventory	View inventory levels across all locations
write_inventory	Update inventory quantities and manage stock levels

Always request only the minimum scopes necessary for your application. This follows the principle of least privilege and enhances security.

Step-by-Step Guide

Method 1: Using the Shopify Admin Dashboard

Step 1: Log In to Your Shopify Admin

Navigate to your Shopify Admin dashboard by visiting https://admin.shopify.com and logging in with your credentials. Ensure you have admin or developer access to proceed.

Step 2: Access the Apps and Integrations Section

From the admin sidebar, scroll down and click on Apps and integrations. This section consolidates all your installed apps, custom apps, and API credentials.

Step 3: Create a Custom App

Click the Develop apps button, then select Create an app. Enter a name for your app—something descriptive like "Inventory Sync Tool" or "Order Processing System." This name helps you identify the app's purpose later.

Step 4: Configure Admin API Scopes

Once your app is created, navigate to the Configuration tab. Under Admin API scopes, select the specific permissions your app needs. For example, if you're building an inventory management tool, select read_inventory and write_inventory.

Step 5: Generate Your Access Token

After configuring scopes, click Save. Shopify will display your access token on the API credentials page. Copy this token immediately and store it securely—Shopify only displays it once.

Step 6: Retrieve Your API Credentials

On the same page, you'll find:

• Access Token: Your authentication key for API requests
• API Key: Used alongside your access token for certain authentication flows
• API Secret: Keep this confidential; never share it publicly

Method 2: Using Shopify CLI

Step 1: Install Shopify CLI

If you prefer a command-line approach, install Shopify CLI on your machine:

npm install -g @shopify/cli @shopify/app

Step 2: Authenticate Your Store

Open your terminal and run:

shopify auth login

This opens your browser and prompts you to authorize CLI access to your Shopify store.

Step 3: Create a New App

Generate a new app project with:

shopify app create node

Follow the prompts to name your app and select your store.

Step 4: Configure Scopes

Edit the shopify.app.toml file in your project directory. Add your required scopes:

scopes = "write_products,read_orders,write_inventory"

Step 5: Deploy and Generate Token

Run the following command to deploy your app:

shopify app deploy

Upon successful deployment, your access token will be generated and displayed in the terminal. Store it securely in your environment variables.

Step 7: Test Your Access Token

Verify your token works by making a test API request. Using cURL, test a simple GraphQL query:

curl -X POST https://YOUR_STORE.myshopify.com/admin/api/2024-01/graphql.json \
  -H "X-Shopify-Access-Token: your_access_token_here" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "{ shop { name } }"
  }'

Replace YOUR_STORE with your actual store name and your_access_token_here with your generated token. If successful, you'll receive your shop's name in the response.

Using GetShopifyToken (Faster Method)

While the manual process works well, managing and rotating Shopify access tokens can be time-consuming, especially if you manage multiple stores or integrations. GetShopifyToken simplifies this entire process.

Visit https://getshopifytoken.com to automate token generation, management, and rotation. The platform eliminates manual configuration steps, reduces errors, and securely stores your credentials. This is especially valuable if you're running a Shopify development agency or managing tokens across numerous client stores.

GetShopifyToken provides:

• One-click token generation
• Automatic scope detection based on your use case
• Secure token storage and rotation
• Multi-store management
• Audit logs for compliance

Common Issues

• "Invalid API credentials" error: Ensure your access token hasn't expired. Check your app's API credentials page for confirmation. If needed, regenerate a new token.
• Scope permission denied: Verify your app has the necessary scopes enabled. Return to your app configuration and add missing scopes, then regenerate your token.
• Store URL format incorrect: Always use the format your-store-name.myshopify.com, not variations like your-store-name.shopify.com.
• Token disappears after creation: Shopify displays tokens only once. If you missed copying it, regenerate a new token from the API credentials page.
• CORS errors when calling API from browser: Shopify's API doesn't support CORS from frontend code. Always call Shopify API from your backend server.
• Rate limiting: If requests are failing with 429 errors, you've exceeded Shopify's API rate limits. Implement exponential backoff in your retry logic.
• Missing Admin API access: Ensure your store plan supports Admin API. All plans in 2026 include API access, but verify your account hasn't been restricted.

Related Guides

• How to Use Shopify GraphQL API with Your Access Token
• Best Practices for Securing Your Shopify API Keys and Tokens
• Building Custom Shopify Apps: A Developer's Complete Roadmap
• How to Rotate and Refresh Shopify Access Tokens

Frequently Asked Questions

Q: Can I use the same access token across multiple applications?

Technically yes, but it's not recommended. Each application should have its own token with only the necessary scopes. This limits exposure if one token is compromised and makes it easier to revoke access for a specific app without affecting others. For security best practices, follow the principle of least privilege with dedicated tokens per application.

Q: How often should I rotate my Shopify access tokens?

There's no mandatory rotation schedule, but security best practices suggest rotating tokens every 90 days or immediately if you suspect a breach. Consider using GetShopifyToken, which can automate rotation on a schedule you set, eliminating manual effort and reducing security risks.

Q: What's the difference between an API key and an access token?

An API key is a unique identifier for your app, while an access token is what authenticates your requests to Shopify's API. In most cases, you'll use the access token. The API key is sometimes used in OAuth flows or specific authentication scenarios. For direct app-to-store communication, your access token is what you need.

Q: Can I generate multiple access tokens for the same app?

No. Each Shopify app generates a single access token. If you need a new token (due to compromise or rotation), you regenerate the existing one. The old token becomes invalid. If you need separate tokens for different purposes, create multiple separate apps, each with their own token and scopes.

Q: Is my access token visible to customers or public?

No. Your access token is private and should never be exposed in client-side code, public repositories, or shared with anyone. Treat it like a password. If you accidentally commit it to GitHub or expose it publicly, immediately regenerate a new token from your Shopify admin dashboard to invalidate the compromised one.