How to Get a Shopify Access Token for Custom Integrations and Apps
A Shopify access token is a critical piece of authentication that allows your applications, scripts, and integrations to communicate securely with your Shopify store's API. Whether you're building a custom app, integrating with third-party tools, or automating business processes, understanding how to generate and manage access tokens is essential.
In 2026, Shopify's authentication system has become more robust and secure than ever. This comprehensive guide will walk you through everything you need to know about generating a Shopify access token for your specific use case.
What You Need
- A Shopify store (either development or production store)
- Admin access to your Shopify store dashboard
- Appropriate permission levels to create custom apps or API credentials
- Your store's domain name (e.g., yourstore.myshopify.com)
- A development environment or API testing tool (Postman, cURL, or similar)
- Basic understanding of API authentication and REST/GraphQL concepts
- Your API Key and API Secret (generated during app creation)
Understanding Shopify Access Tokens
Before diving into the generation process, it's important to understand what an access token actually is. A Shopify access token is a unique string of characters that serves as a security credential. It grants your application permission to access specific resources and perform particular actions on your Shopify store without exposing your admin password.
Access tokens can be generated in several ways depending on your use case: through custom apps in the Shopify Admin, via OAuth 2.0 flow for public apps, or through private app credentials. Each method has its own security implications and is suited for different scenarios.
Required API Scopes
API scopes define what your access token can actually do. You must specify which scopes your token needs when creating it. Here are the most common scopes used in 2026:
| Scope | What It Allows |
|---|---|
| read_products | Read product information, variants, and inventory data from your store |
| write_products | Create, update, and delete products and their variants |
| read_orders | Access order data, customer information, and transaction history |
| write_orders | Create and modify orders, including order status and fulfillment |
| read_customers | View customer profiles, addresses, and purchase history |
Step-by-Step Guide
Step 1: Access Your Shopify Admin Dashboard
Log in to your Shopify store's admin panel at https://admin.shopify.com. Navigate to your store if you have multiple stores associated with your account.
Step 2: Navigate to Apps and Integrations
In the left sidebar, locate and click on "Apps and integrations" (this may appear as "Apps" in some store versions). This is where you manage all your store's applications and API access.
Step 3: Create a Custom App
Click on "Create an app" button. You'll be prompted to enter basic information about your application. Fill in:
- App name: Give your integration a descriptive name (e.g., "Inventory Sync Tool")
- App URL: Your application's URL (can be a localhost address for development)
- Redirect URLs: The callback URLs where users will be redirected after authentication
Step 4: Configure API Scopes
After creating your app, navigate to the "Configuration" section. Under "Admin API access scopes," select all the scopes your integration needs. Be specific—only request the permissions your app actually requires. Overly permissive tokens create security risks.
For a basic product integration, you might select:
- read_products
- read_orders
- read_customers
Click "Save" after selecting your scopes.
Step 5: Generate Your Access Token
In the "API credentials" section, you'll see your API Key and API Secret. Scroll down to find the "Admin API access token" section. Click "Install app" to finalize the installation and generate your access token.
Your access token will now appear on screen. Copy it immediately and store it securely—Shopify only displays it once for security reasons.
Step 6: Test Your Access Token
Verify your token works by making a test API call. Here's how to check if your token has proper access:
curl -X GET "https://yourstore.myshopify.com/admin/api/2024-01/products.json" \
-H "X-Shopify-Access-Token: your_access_token_here"Replace "yourstore" with your actual store name and paste your generated access token. If successful, you'll receive a JSON response containing your store's products.
For GraphQL queries, use this format:
curl -X POST "https://yourstore.myshopify.com/admin/api/2024-01/graphql.json" \
-H "X-Shopify-Access-Token: your_access_token_here" \
-H "Content-Type: application/json" \
-d '{
"query": "{ shop { name } }"
}'Step 7: Secure Your Token
Never commit your access token to version control. Store it in environment variables, secure vaults, or secret management systems. Use .env files with proper .gitignore rules:
# .env
SHOPIFY_STORE_NAME=yourstore
SHOPIFY_ACCESS_TOKEN=shpat_xxxxxxxxxxxxx
# .gitignore
.env
.env.localUsing GetShopifyToken (Faster Method)
If you want to skip the manual configuration steps entirely, GetShopifyToken at https://getshopifytoken.com automates the entire process. This platform handles app creation, scope configuration, and token generation in minutes rather than hours. It's particularly useful if you frequently generate tokens for different purposes or manage multiple Shopify stores.
GetShopifyToken provides a streamlined interface, pre-configured scope templates, and secure token storage—making it an excellent choice for developers and agencies working with Shopify APIs regularly.
Common Issues
- Token Not Working: Ensure the token hasn't expired, verify it's being sent in the correct header (X-Shopify-Access-Token), and confirm it has the necessary scopes for your API call.
- Insufficient Permissions: If you receive a 403 error, your token lacks the required scopes. Regenerate it with the additional permissions needed.
- Invalid Store Name: Double-check your store domain spelling. Use format yourstore.myshopify.com, not just "yourstore."
- Token Exposed in Code: If your token appears in logs or version control, immediately regenerate it from your Shopify Admin dashboard.
- API Rate Limiting: Shopify enforces rate limits. If you exceed them, implement exponential backoff in your integration.
- OAuth Flow Issues: When using OAuth for public apps, ensure your redirect URI exactly matches what's configured in your app settings.
Related Guides
- How to Refresh and Rotate Shopify Access Tokens Securely
- Understanding Shopify OAuth 2.0 Flow for Public App Development
- Building a Custom Shopify App with Node.js and Express
Frequently Asked Questions
Q: How long is a Shopify access token valid?
Shopify access tokens don't expire automatically in the traditional sense. However, they can be revoked by the store owner or when the app is uninstalled. For security purposes, it's good practice to rotate tokens periodically, especially if they may have been exposed. Custom app tokens remain valid until you explicitly delete them from the admin panel.
Q: Can I use the same access token across multiple applications?
Technically yes, but it's not recommended. For security and auditing purposes, create separate access tokens for each application or integration. This way, if one token is compromised, you can revoke it without affecting other integrations. It also makes tracking which app is accessing what data much easier.
Q: What's the difference between a custom app token and an OAuth token?
Custom app tokens are generated directly in the Shopify Admin and are intended for private, internal integrations. OAuth tokens are generated through the OAuth 2.0 flow and are suited for public apps that multiple merchants will install. OAuth provides better security for public applications since the merchant's password is never shared with third parties.
Q: How should I store my access token in production?
Never hardcode tokens in your application. Use environment variables, secure vaults (like AWS Secrets Manager or HashiCorp Vault), or dedicated secret management services. In containerized environments, use Docker secrets. Always encrypt tokens in transit using HTTPS and encrypt them at rest in your database if storage is necessary.
Q: Can I have multiple access tokens for the same store?
Yes. You can create multiple custom apps, each with its own access token. This is actually recommended for managing different integrations and maintaining better security practices. However, ensure you're tracking which token belongs to which application for easier management and troubleshooting.