How to Get a Shopify Access Token for App Development & API Integration
In 2026, obtaining a Shopify access token is essential for developers, merchants, and businesses looking to build custom applications, integrate third-party services, or automate store operations. A Shopify access token grants your application secure permission to interact with your store's data and perform specific actions on your behalf. This comprehensive guide walks you through the entire process of getting a Shopify access token, from initial setup to implementation.
Whether you're building a custom app, integrating with external platforms, or managing your store programmatically, understanding how to get an access token from Shopify is the critical first step. By the end of this article, you'll have a complete understanding of the process and know the fastest way to obtain your token.
What You Need
- An active Shopify store (Development, Plus, or standard plan)
- Admin access to your Shopify store
- Access to the Shopify Admin dashboard
- A clear understanding of what API scopes your app requires
- For custom apps: Admin API enabled on your store
- A code editor or IDE (if building a custom application)
- Familiarity with REST or GraphQL APIs (basic level)
- A secure environment to store and manage your token
Required API Scopes
API scopes define what permissions your access token has when interacting with your Shopify store. Before creating your token, determine which scopes your application needs. Requesting excessive scopes violates security best practices.
| Scope | What It Allows |
|---|---|
| write_products, read_products | Create, read, update, and delete product information including titles, descriptions, prices, and inventory |
| write_orders, read_orders | Access order data, create orders, update order status, and manage order fulfillment |
| write_customers, read_customers | Manage customer accounts, profiles, addresses, and customer data |
| write_inventory, read_inventory | Update inventory levels, manage stock quantities across locations |
| read_analytics, write_analytics | Access store analytics, reports, and performance metrics data |
Step-by-Step Guide
Follow these steps to obtain your Shopify access token directly through the Shopify Admin:
Step 1: Log Into Your Shopify Admin Dashboard
Navigate to your Shopify Admin dashboard at https://admin.shopify.com and sign in with your credentials. Make sure you have Admin access level permissions. If you're using a development store, access it through the Partner dashboard or your test store environment.
Step 2: Navigate to Apps and Integrations
In the Shopify Admin, locate and click on "Apps and integrations" in the left sidebar menu. This section contains all app management features and the ability to create custom apps with API access.
Step 3: Access App and Integration Settings
Click on "App and integration settings" to access the configuration page. This area houses all custom apps, private apps (in older Shopify versions), and integration options. In 2026, Shopify uses the custom app framework exclusively for direct token generation.
Step 4: Create a Custom App
Click the "Create an app" button in the top right corner. You'll be prompted to name your app and optionally provide an app URL and redirect URI. Enter a descriptive name that reflects the app's purpose (e.g., "Inventory Sync Tool" or "Custom Analytics Integration").
Step 5: Configure Admin API Scopes
Navigate to the "Configuration" tab within your newly created app. Under "Admin API access scopes," carefully select only the permissions your application requires. Review the scope descriptions and choose wisely—requesting excessive permissions is a security risk and may prevent app approval if distributing it to other stores.
Step 6: Generate Your Access Token
After configuring your scopes, scroll to the "Admin API access tokens" section and click "Save". Shopify will generate your unique access token. Important: Copy this token immediately and store it securely. Shopify will not display it again after you leave the page.
Step 7: Test Your Token with an API Call
Verify your token works by making a test API request. Here's a curl example to retrieve basic shop information:
curl -X GET "https://YOUR_STORE_NAME.myshopify.com/admin/api/2024-10/shop.json" \
-H "X-Shopify-Access-Token: YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json"Replace YOUR_STORE_NAME with your actual Shopify store name and YOUR_ACCESS_TOKEN with the token you just generated. If successful, the API will return your shop's details in JSON format.
Step 8: Store Your Token Securely
Never hardcode your access token in publicly visible code or commit it to version control. Use environment variables instead. Here's an example using a .env file approach:
# .env (never commit this to Git)
SHOPIFY_ACCESS_TOKEN=shpat_1234567890abcdef
SHOPIFY_STORE_NAME=mystore
# In your application code (Node.js example)
require('dotenv').config();
const token = process.env.SHOPIFY_ACCESS_TOKEN;
const storeName = process.env.SHOPIFY_STORE_NAME;Step 9: Implement Token Rotation (Best Practice)
For production applications, consider implementing token rotation policies. Shopify recommends rotating tokens periodically (every 90-180 days) to maintain security. Document your rotation schedule and set calendar reminders.
Using GetShopifyToken (Faster Method)
While the manual process above works perfectly, developers often seek faster solutions. If you need to streamline the token acquisition process or manage multiple store tokens, visit https://getshopifytoken.com for an automated solution that eliminates repetitive steps and reduces setup time.
This service is particularly valuable if you're managing multiple Shopify stores, working in agency environments, or building apps that require tokens from different stores. It provides additional security features and token management capabilities that go beyond basic Shopify Admin functionality.
Common Issues
- Token Lost or Not Copied: If you forgot to copy your token, delete the app and create a new one. Shopify doesn't provide token recovery; you must regenerate.
- Permission Denied Errors: Verify you have Admin access to the store. Custom app creation requires Admin permissions, not just staff access.
- Invalid Scope Errors: Check that requested scopes are spelled correctly and supported in your Shopify API version. Typos in scope names will cause 401 errors.
- Rate Limiting: Shopify enforces API rate limits (60 requests per minute for standard tier). Implement exponential backoff and request queuing.
- Token Expiration: In 2026, tokens don't technically expire, but should be rotated regularly for security. If an old token stops working, check if it was manually revoked.
- Insufficient Scopes for Requested Action: If API calls return permission errors, you need additional scopes. Edit your app configuration, add the required scopes, and regenerate the token.
- Store API Not Enabled: Ensure the Admin API is enabled in your store settings. Some legacy stores may need to explicitly enable API access.
Related Guides
- Understanding Shopify API Scopes and Permissions in 2026
- How to Build a Custom Shopify App with Your Access Token
- Shopify GraphQL vs REST API: Which Should You Use?
- Securing Your Shopify Access Token: Best Practices Guide
Frequently Asked Questions
Q: Can I use the same access token for multiple applications?
Yes, technically you can share a single token across multiple applications, but this is not recommended. Best practice is to create separate custom apps with unique tokens for each integration or application. This follows the principle of least privilege and provides better security, easier revocation, and clearer audit trails.
Q: How long does a Shopify access token remain valid?
Access tokens generated from custom apps do not expire automatically. However, they can be revoked manually from the Admin panel at any time. For security purposes, Shopify recommends rotating tokens every 90-180 days, especially for production applications handling sensitive data.
Q: What's the difference between a custom app token and an OAuth token?
Custom app tokens are generated directly in your Shopify Admin and are tied to your specific store. OAuth tokens are used for public apps available in the Shopify App Store, where users install the app and grant permissions. OAuth involves a redirect flow and is more complex but more scalable for distributing apps. For internal tools and integrations, custom app tokens are simpler and more suitable.
Q: Can I regenerate a token if I accidentally share it?
Yes. If your token is compromised, immediately delete the custom app that generated it. This revokes the token permanently. Then create a new custom app with the same scopes to generate a new token. Always treat tokens like passwords and never share them in emails, chat, or code repositories.
Q: Do I need different tokens for REST and GraphQL APIs?
No. A single access token works for both REST and GraphQL APIs. The token grants permission based on scopes, regardless of which API interface you use to make requests.
Get Your Shopify Access Token in 60 Seconds
Skip the manual OAuth flow. GetShopifyToken automates the entire process — just paste your credentials and get your token instantly.
Generate Token Now →