How to Get a Shopify Access Token for Custom App Integration

Getting a Shopify access token is essential if you want to build custom applications, integrate third-party tools, or automate your store operations. Whether you're developing a private app, creating a public app for the Shopify App Store, or connecting external services to your store, understanding how to obtain and manage access tokens is critical to your success.

In 2026, Shopify's authentication process has evolved to prioritize security and developer experience. This comprehensive guide walks you through every step of obtaining a Shopify access token, including best practices and troubleshooting tips.

What You Need

• An active Shopify store (any plan tier)
• Admin access to your Shopify store
• A Shopify Partner account (for public apps)
• Basic understanding of APIs and authentication
• A secure environment to store your access token
• Knowledge of the API version you plan to use (2026-01 or later recommended)
• A development tool like Postman, cURL, or your preferred programming language SDK

Required API Scopes

Scope	What It Allows
read_products	Read product data, collections, and inventory information from your store
write_products	Create, update, and delete products and manage product variants
read_orders	Access order information, customer details, and transaction history
write_orders	Create orders, modify order details, and manage fulfillment
read_customers	Retrieve customer data, email addresses, and purchase history
write_customers	Create and modify customer information and segments

Step-by-Step Guide

Follow these steps to generate your Shopify access token manually. While this process is straightforward, we'll also introduce you to faster automated methods later in this guide.

Step 1: Log Into Your Shopify Admin Dashboard

Navigate to your Shopify store's admin panel by going to https://admin.shopify.com and logging in with your admin credentials. Once logged in, you'll see your store's dashboard and primary navigation menu.

Step 2: Access the Apps and Integrations Section

In your Shopify admin, click on Apps and integrations in the left sidebar. This section is where you manage all connected applications and develop custom integrations for your store. You should see several options including "Develop apps" if you're planning to create a custom solution.

Step 3: Create a New App or Access Existing Custom Apps

If you're creating a new custom app, click Create an app and give it a descriptive name related to your integration purpose. For example, "Inventory Sync Tool" or "Email Marketing Integration." Shopify will automatically generate a unique app ID and secret for your application.

If you already have an app created, simply locate it in your apps list and click to open its configuration panel.

Step 4: Configure Your API Scopes

Navigate to the Configuration or API Credentials tab within your app settings. Here, you'll select the specific scopes your application needs. Only request scopes that are essential for your app's functionality—this follows the principle of least privilege and enhances security.

For example, if you're building an inventory management tool, select read_products and write_products. If you need to track orders, add read_orders. Be specific and intentional with your selections.

Step 5: Save Your Configuration and Generate the Access Token

After selecting your required scopes, click Save. Shopify will display your access token in the API Credentials section. This is the only time you'll see this token in plain text, so copy it immediately and store it securely. Do not share this token or commit it to public version control repositories.

You'll also receive:

• API Key: A public identifier for your app
• API Secret: Keep this private and never expose it
• Access Token: Use this to authenticate API requests
• Scopes: A list of permissions your app has

Step 6: Test Your Access Token with an API Request

Verify your access token works by making a test API call. Here's an example using cURL to retrieve your shop information:

curl -X GET "https://your-store.myshopify.com/admin/api/2026-01/shop.json" \
  -H "X-Shopify-Access-Token: YOUR_ACCESS_TOKEN_HERE" \
  -H "Content-Type: application/json"

Replace your-store with your actual store domain and YOUR_ACCESS_TOKEN_HERE with the access token you just generated. If successful, you'll receive a JSON response containing your shop's details like name, email, and plan information.

Step 7: Store Your Token Securely

Never hardcode your access token directly into your application code. Instead, use environment variables or secure configuration management systems. Here's a Python example:

import os
from shopify import ShopifyResource

# Load token from environment variable
access_token = os.getenv('SHOPIFY_ACCESS_TOKEN')
shop_url = os.getenv('SHOPIFY_SHOP_URL')

ShopifyResource.activate_session(access_token, shop_url)

For production environments, consider using secrets management tools like AWS Secrets Manager, HashiCorp Vault, or your hosting platform's native secret storage.

Using GetShopifyToken (Faster Method)

While the manual process above is reliable, many developers prefer a faster, automated approach. GetShopifyToken (available at getshopifytoken.com) streamlines the entire token generation process.

Instead of navigating multiple admin screens and managing configuration manually, GetShopifyToken automates the setup by:

• Handling OAuth authentication flows automatically
• Pre-configuring recommended API scopes
• Generating and securing your token instantly
• Providing code examples for your specific use case
• Storing token history for future reference

This method is particularly useful for developers who frequently create tokens for different apps or need to set up multiple store integrations quickly. Visit getshopifytoken.com to get started in minutes rather than navigating through admin panels.

Common Issues

• 401 Unauthorized Error: Your access token is invalid, expired, or malformed. Verify you've copied the entire token correctly and that it hasn't been regenerated. Check that your store URL matches your actual Shopify domain.
• 403 Forbidden Error: Your token lacks the necessary permissions for that API endpoint. Review your configured scopes and add any missing permissions. You'll need to regenerate the token after updating scopes.
• Token Lost or Forgotten: If you lose your token before saving it, you cannot retrieve it from Shopify. You must regenerate a new token from your app's API Credentials page. The old token automatically becomes invalid.
• Rate Limiting (429 Error): You're making too many API requests too quickly. Implement exponential backoff in your code and space out requests appropriately. Shopify allows up to 2 requests per second for most endpoints.
• SSL Certificate Errors: Ensure your development environment has up-to-date SSL certificates. Update your certificate bundle and verify you're using HTTPS for all Shopify API calls.
• CORS Issues: If calling the API from a browser-based application, remember that Shopify API doesn't support CORS. Make API calls from your backend server instead to avoid security issues.
• Scope Mismatch: You're trying to access an API endpoint your token's scopes don't cover. Reference the API documentation for required scopes and update your app configuration accordingly.

Related Guides

• How to Refresh and Rotate Shopify Access Tokens Securely
• Complete Guide to Shopify API Authentication Methods in 2026
• Building Private Shopify Apps: Advanced Token Management
• Shopify OAuth: Implementing User Authorization for Public Apps

Frequently Asked Questions

Q: How long does a Shopify access token last?

Shopify access tokens do not expire automatically. They remain valid indefinitely until you manually revoke them or regenerate a new token from your app's settings. However, if your store is inactive for 90 days or your Shopify account is closed, the token becomes invalid. For production applications, implement token rotation practices as a security best practice, even though they don't technically expire.

Q: Can I use the same access token for multiple apps?

No. Each custom app you create in Shopify receives its own unique access token. This design enhances security by limiting each application's access to only the scopes it needs. If you have multiple integrations, create separate apps with appropriate scopes for each. This way, if one token is compromised, others remain secure.

Q: Is my access token safe to use in frontend code?

Absolutely not. Never expose your access token in frontend code, mobile apps, or anywhere publicly visible. Always keep tokens on your backend server. If you need frontend access to Shopify, use the Storefront API with a public access token instead, which has limited read-only permissions designed for public exposure.

Q: What should I do if my access token is compromised?

Immediately regenerate your access token from your app's API Credentials page. The old token becomes invalid instantly. Review your store's recent activity for unauthorized API calls. If you suspect unauthorized access, change your admin password and enable two-factor authentication. For production incidents, contact Shopify support directly.

Q: Can I have multiple access tokens for the same app?

Each app has only one active access token at a time. If you regenerate a token, the previous one immediately becomes invalid. Plan accordingly and update your applications with new tokens before invalidating the old ones to prevent service disruptions.

Q: Which API version should I use with my access token?

Shopify recommends using the latest stable API version, which is 2026-01 as of this guide's publication. Always specify your API version in your requests (e.g., `/admin/api/2026-01/`). Shopify maintains backward compatibility for several years, but using the latest version ensures you have access to new features and security improvements.

Conclusion: Obtaining a Shopify access token is straightforward whether you follow the manual process or use an automated service like GetShopifyToken. Prioritize security by storing tokens properly, using appropriate scopes, and rotating tokens regularly. With your access token ready, you're equipped to build powerful integrations and extend your store's functionality.