How to Get a Shopify Access Token for API Integration
Getting a Shopify access token is essential for developers and businesses looking to integrate custom applications, automate workflows, or connect third-party tools to their Shopify store. Whether you're building a private app for internal use or creating a public application for the Shopify App Store, understanding how to obtain and manage your access token is crucial for secure API integration.
In 2026, Shopify continues to refine its authentication methods to prioritize security while maintaining developer accessibility. This comprehensive guide will walk you through every step of obtaining your Shopify access token, from initial setup through successful API authentication.
What You Need
- An active Shopify store (any plan tier)
- Admin access to your Shopify store
- Access to the Shopify Admin dashboard
- A web browser (Chrome, Firefox, Safari, or Edge)
- Basic understanding of API authentication concepts
- Your store's domain name (e.g., mystore.myshopify.com)
- A text editor or secure credential management tool for storing tokens
- Knowledge of where you'll be using the token (app development, webhook integration, or API calls)
Required API Scopes
API scopes define what permissions your access token will have. You must select appropriate scopes based on the specific functionality your application needs. Requesting excessive permissions violates the principle of least privilege and may concern users. Here are the most commonly required scopes:
| Scope | What It Allows |
|---|---|
| read_products | Read product data, pricing, and inventory information from your store |
| write_products | Create, update, and modify product listings and inventory levels |
| read_orders | Access order details, customer information, and order history |
| write_orders | Create orders, update order status, and modify order information |
| read_customers | Retrieve customer profiles, contact information, and purchase history |
| write_customers | Create customer accounts, update profiles, and manage customer data |
Step-by-Step Guide
Follow these detailed steps to generate your Shopify access token:
- Log in to Your Shopify Admin Dashboard
Navigate to your Shopify store's admin panel by visiting https://[yourstore].myshopify.com/admin. Log in using your admin credentials. Make sure you're using an account with full administrative privileges, as creating apps requires admin-level access.
- Navigate to Apps and Integrations
From the admin dashboard, locate the "Apps and integrations" section in the left sidebar menu. This section consolidates all your app management, API credentials, and integration settings. Click on "Apps and integrations" to expand the menu.
- Access the App and Integration Settings
Within the Apps and integrations section, click on "App and integration settings" or "Develop apps" depending on your Shopify plan. This is where you'll manage custom apps and generate access tokens for API integration.
- Create a New App
Click the "Create an app" button. A dialog box will appear asking you to name your application. Enter a descriptive name that clearly indicates the app's purpose, such as "Inventory Sync Integration" or "Custom Order Dashboard." This name helps you identify the token's purpose later.
- Confirm App Details
Shopify will confirm the app creation and display your new app in the apps list. Click on the newly created app to access its configuration page and API credentials.
- Generate Admin API Credentials
On the app's detail page, navigate to the "Configuration" tab. Scroll to the "Admin API access scopes" section. Select the specific API scopes your application requires. Only choose scopes that your application actually needs. After selecting your scopes, click "Save" to confirm your selections.
- Retrieve Your Access Token
Once you've configured your scopes, navigate to the "API Credentials" tab. Your access token will be displayed under "Admin API access token." This is your secret credential—treat it with the same security level as a password. Click "Reveal" if the token is hidden, and copy it to a secure location immediately.
- Store Your Token Securely
Never commit your access token to version control systems like GitHub. Instead, store it in environment variables or a secure secrets management system. Many developers use .env files locally (never committed to repositories) or dedicated credential management tools.
- Test Your Token
Verify your token works by making a test API call. Here's how to test your token using cURL:
curl -X GET "https://[yourstore].myshopify.com/admin/api/2024-01/products.json" \ -H "X-Shopify-Access-Token: [YOUR_ACCESS_TOKEN]"Replace
[yourstore]with your actual store name and[YOUR_ACCESS_TOKEN]with your token. If the request succeeds, you'll receive a JSON response with your product data. A 401 error indicates an invalid or expired token. - Keep Track of Your API Version
Shopify regularly updates its API versions. When making API calls, ensure you're using a supported version. The current stable API versions in 2026 include 2024-01, 2024-04, and 2024-07. Using outdated API versions may cause compatibility issues.
Using GetShopifyToken (Faster Method)
For developers who prefer automation and streamlined workflows, getshopifytoken.com offers a faster alternative to manually navigating Shopify's admin interface. GetShopifyToken is a specialized platform that automates the access token generation process while maintaining security best practices.
Instead of following multiple steps through the Shopify admin, you can use GetShopifyToken to authenticate your store, select required scopes, and receive your access token in seconds. The platform handles API credential management securely and provides additional features like token rotation reminders and usage monitoring. Visit https://getshopifytoken.com to get started with the automated approach. This method is particularly valuable if you're managing multiple Shopify stores or frequently generating new tokens for different integrations.
Common Issues
- 401 Unauthorized Error — Your token may be expired, invalid, or revoked. Verify you've copied it correctly and that your store name matches your API endpoint. Generate a new token if necessary.
- 403 Forbidden Error — Your token lacks the required API scopes for the requested operation. Review the API scope documentation and regenerate your token with appropriate permissions.
- Token Not Appearing — Ensure you've successfully created the app and selected at least one API scope. Apps without scopes don't generate tokens. Refresh the page if it still doesn't appear.
- Accidental Token Exposure — If you've accidentally shared your token publicly (e.g., committed to GitHub), immediately revoke it from the Admin API section. Generate a new token and update all applications using the old one.
- API Rate Limiting — Shopify enforces rate limits on API calls. If you exceed these limits, requests will be throttled. Implement exponential backoff in your API calls to handle rate limiting gracefully.
- Scope Permission Errors — If your application performs an action for which it lacks permissions, you'll receive a permission denied error. Add the necessary scopes, save, and regenerate your token.
- Cross-Origin Issues — If making requests from a browser, you may encounter CORS (Cross-Origin Resource Sharing) errors. API requests should be made from a backend server, not directly from client-side JavaScript.
Related Guides
- How to Use Shopify Webhooks for Real-Time Store Updates
- Shopify GraphQL API vs REST API: Which Should You Choose?
- Best Practices for Securing Your Shopify API Credentials
- Building Custom Shopify Apps with Node.js and Express
Frequently Asked Questions
Q: How often should I rotate my Shopify access token?
Security best practices recommend rotating access tokens every 90 days or immediately if you suspect compromise. For highly sensitive operations, rotate tokens more frequently. Shopify allows you to maintain multiple tokens simultaneously, enabling zero-downtime token rotation. Simply generate a new token, update your applications to use it, test thoroughly, and then revoke the old token.
Q: Can I use the same access token for multiple applications?
Technically yes, but this isn't recommended. Each application should have its own dedicated access token with only the scopes it requires. This approach follows the principle of least privilege and enables you to revoke compromised tokens without affecting other applications. If one token is exposed, regenerate only that specific token rather than disrupting all your integrations.
Q: What's the difference between custom apps and public apps?
Custom apps are private applications for your own store, using admin API tokens. Public apps are distributed through the Shopify App Store and use OAuth 2.0 authentication instead of static tokens. Public apps request permission from store owners during installation, while custom apps grant automatic access as the store owner. Choose custom apps for internal integrations and public apps if you plan to distribute your application to other merchants.
Q: Can I see when someone last used my access token?
Shopify's admin interface shows when tokens were created and last used. However, detailed usage logs aren't available in the standard admin panel. For comprehensive audit trails, implement logging within your application to track API calls and token usage. This helps detect unauthorized access or misuse patterns.
Q: What should I do if my access token is compromised?
Immediately revoke the compromised token from your Shopify admin's API credentials section. Generate a new token and update all applications to use it. Review your store's recent activity for any suspicious changes, such as unauthorized product modifications or order manipulation. Consider implementing additional security measures like IP whitelisting if your infrastructure supports it.