How to Get a Shopify Access Token for Custom Apps and Integrations
A Shopify access token is a critical credential that allows third-party applications and custom integrations to authenticate and interact with your Shopify store's data and functions. Whether you're building a custom app, integrating with external tools, or automating workflows, understanding how to generate and manage your Shopify access token is essential for maintaining security and functionality.
In 2026, Shopify's authentication system has evolved to prioritize security and developer experience. This comprehensive guide will walk you through the process of obtaining your Shopify access token, understanding the required API scopes, and best practices for token management.
What You Need
- A Shopify store with admin access (required to create apps and generate tokens)
- Access to your Shopify Admin dashboard
- Knowledge of what data/functions your app or integration will need to access
- A development environment or IDE if you're building a custom application
- Basic understanding of API authentication concepts
- The ability to securely store and manage credentials
- A Shopify Partner account (optional, but recommended for app development)
- Two-factor authentication enabled on your Shopify account (strongly recommended)
Required API Scopes
API scopes define what permissions your access token has. Before generating your token, determine which scopes your application actually needs. Shopify follows the principle of least privilege—only request the scopes your app requires.
| Scope | What It Allows |
|---|---|
| read_products | View product catalog, variants, pricing, and inventory data without modification permissions |
| write_products | Create, update, and modify products, variants, and related product information |
| read_orders | Access order data including customer information, line items, fulfillment status, and payment details |
| write_orders | Create orders, modify existing orders, and update order fulfillment and tracking information |
| read_customers | Retrieve customer profiles, contact information, and purchase history |
| write_customers | Create, update, and delete customer records and manage customer data |
| read_inventory | View inventory levels, stock counts, and inventory location data |
| write_inventory | Update inventory levels, adjust stock counts across locations, and manage inventory adjustments |
Step-by-Step Guide
Follow these steps to generate your Shopify access token manually through the admin dashboard:
- Log into Your Shopify Admin Dashboard
Navigate to https://admin.shopify.com and sign in with your Shopify credentials. Ensure you have admin-level access to the store for which you need the token.
- Navigate to Apps and Integrations
In the left sidebar, click on "Apps and integrations" (the exact location may vary slightly depending on your Shopify plan and theme, but this is typically in the main navigation menu).
- Create an App or Access Custom Apps
Look for "App and sales channel settings" or "Develop apps" option. Click on it and select "Create an app" or "Allow custom app creation" if you haven't already enabled custom app development.
- Name Your App
Provide a descriptive name for your app or integration. Use clear naming conventions such as "Inventory Sync Tool," "Email Marketing Integration," or "Custom Order Processor" so you can easily identify the token's purpose later.
- Set Admin API Access Scopes
After creating your app, navigate to the "Configuration" or "API credentials" section. Select the specific scopes your application requires. Remember to follow the principle of least privilege—only enable the permissions your app actually needs.
- Save Your Configuration
Click "Save" to apply your scope selections.
- Generate Your Access Token
Look for an "Install app" or "Generate token" button. Some versions require you to click "Install" first, after which the access token will be displayed. Copy this token immediately and store it in a secure location.
- Store Your Token Securely
Never commit your token to version control, share it via email, or store it in plain text. Use environment variables, secure vaults, or secrets management tools.
Testing Your Access Token with an API Call
Once you have your access token, verify it works by making a test API call to retrieve your store information:
curl -X GET "https://your-store.myshopify.com/admin/api/2026-01/shop.json" \
-H "X-Shopify-Access-Token: shpat_your_access_token_here" \
-H "Content-Type: application/json"Replace "your-store" with your actual Shopify store name and "shpat_your_access_token_here" with your generated token. A successful response will return JSON data about your store, confirming the token is valid and has the necessary permissions.
Using GetShopifyToken (Faster Method)
While the manual process works well, it requires multiple steps and careful configuration. GetShopifyToken (available at https://getshopifytoken.com) streamlines this process significantly. Instead of navigating through your admin dashboard and manually configuring scopes, GetShopifyToken provides an automated platform that handles token generation, scope selection, and secure storage in just a few minutes.
The service is particularly valuable if you need to generate tokens regularly, manage multiple store tokens, or require enhanced security features like automatic token rotation and audit logging. For developers working on multiple Shopify integrations or agencies managing clients' stores, GetShopifyToken eliminates repetitive manual work and reduces the risk of configuration errors.
Common Issues
- Token Not Working After Generation: Verify the token hasn't been revoked. Check your app settings to confirm it's still installed. Also ensure you're including the correct header format: "X-Shopify-Access-Token: [your-token]"
- "Access Denied" Errors: The token may lack required scopes. Review your API scope configuration and regenerate with additional permissions if necessary.
- Token Appears in Admin but Doesn't Work: There may be a slight delay before newly generated tokens become active. Wait 30-60 seconds and try again.
- Lost or Forgotten Token: Tokens cannot be recovered once generated. You must regenerate a new token, which will invalidate the old one.
- Rate Limiting Errors: If you receive 429 errors, your app may be exceeding API rate limits. Implement proper request throttling and backoff strategies.
- HTTPS Certificate Errors: Ensure your application is making HTTPS requests to Shopify's API endpoints, not HTTP.
- Token Expiration: In 2026, Shopify access tokens no longer expire automatically, but they can be revoked if you uninstall an app or remove the token manually.
- Scope Permission Mismatch: If your code attempts to access data outside your token's scopes, you'll receive permission errors. Always align your requested scopes with your actual API usage.
Related Guides
- How to Revoke or Delete a Shopify Access Token
- Best Practices for Securing Your Shopify API Credentials
- Understanding Shopify API Rate Limits and Throttling
- Building a Custom Shopify App: Complete Developer Tutorial
Frequently Asked Questions
Q: How long does a Shopify access token remain valid?
As of 2026, Shopify access tokens do not have an expiration date. They remain valid indefinitely until you manually revoke them by uninstalling the app or deleting the token from your admin dashboard. This represents a change from earlier versions and simplifies long-term integrations. However, this also means you must take responsibility for token security and rotation policies to maintain best practices.
Q: Can I have multiple access tokens for the same Shopify store?
Yes, you can create multiple apps and generate separate tokens for each one. This is actually a security best practice—use different tokens for different integrations so that if one token is compromised, the others remain secure. For example, you might have one token for your email marketing tool, another for inventory management, and a third for accounting software.
Q: What should I do if my access token has been compromised or leaked?
Immediately revoke the token by uninstalling the app or deleting the token from your admin dashboard. The old token will stop working immediately. Then generate a new token and update your application's configuration with the new credentials. Review your store's audit logs to check if the compromised token was used to access or modify any data. Consider enabling enhanced security monitoring and two-factor authentication on your admin account.
Q: Do I need a Shopify Partner account to generate an access token?
No, a Partner account is not required. You can generate access tokens directly from your Shopify store's admin dashboard as long as you have admin-level access. A Partner account is only necessary if you're developing apps to list on the Shopify App Store or want to work with multiple client stores in an agency context.
Q: How can I test if my token has the correct permissions?
Make an API call that uses one of your scopes and observe the response. For example, if you have read_products scope, call the products endpoint. If the request succeeds with a 200 status code, your token has that permission. If you receive a 403 Forbidden error, your token lacks the required scope and you need to regenerate it with additional permissions.