How to Get a Shopify Access Token for Custom App Development
Getting a Shopify access token is one of the most essential steps for developers looking to build custom applications, integrate third-party services, or automate store operations. Whether you're creating a private app for your own store or building a public app for the Shopify App Store, understanding how to generate and manage access tokens is critical for secure API communication in 2026.
In this comprehensive guide, we'll walk you through the entire process of obtaining a Shopify access token, exploring the different methods available, and addressing common challenges you might encounter along the way.
What You Need
- An active Shopify store (development, plus, or higher plan)
- Admin access to your Shopify store's backend
- Understanding of API basics and REST/GraphQL concepts
- A code editor or IDE for development work
- Familiarity with command-line tools (for testing API calls)
- Knowledge of your store's API credentials location
- Security best practices understanding for token management
Required API Scopes
| Scope | What It Allows |
|---|---|
| read_products | Retrieve product data, collections, and inventory information from your store |
| write_products | Create, update, and delete products and manage product-related data |
| read_orders | Access order information, customer details, and transaction history |
| write_orders | Modify orders, process refunds, and manage order fulfillment |
| read_customers | Retrieve customer profiles, contact information, and purchase history |
Step-by-Step Guide
Follow these detailed steps to generate your Shopify access token manually:
Step 1: Log In to Your Shopify Admin Dashboard
Navigate to your Shopify store's admin panel at https://admin.shopify.com/. Enter your credentials and complete any two-factor authentication if enabled. This is your control center for all store management and app configuration tasks.
Step 2: Access the Apps and Integrations Section
Once logged in, look for the "Apps and integrations" option in your left-hand navigation menu. In 2026, Shopify has streamlined this interface for better accessibility. Click on this section to view all connected applications and manage your API credentials.
Step 3: Create a New App or Select Custom App
Click the "Develop apps" button or select "Create an app" if you don't see existing apps. For custom development, you'll want to create a custom app rather than a public app. Shopify allows store owners to create private custom apps specifically for their own store's needs.
Step 4: Name Your App and Configure Settings
Give your app a descriptive name that reflects its purpose (e.g., "Inventory Sync Tool" or "Customer Data Integration"). This helps you identify the token's use case later. Accept Shopify's terms and proceed to the next section.
Step 5: Define Admin API Scopes
Select the specific API scopes your application needs. Be cautious to only grant the minimum permissions required for your use case. This follows the principle of least privilege, which is crucial for security. Common scopes include read_products, write_products, read_orders, and read_customers depending on your needs.
Step 6: Generate and Copy Your Access Token
After configuring your scopes, Shopify will generate your access token. This is a unique string of characters that authenticates your API requests. Copy this token immediately and store it securely — you won't be able to view it again without regenerating it.
Step 7: Store Your Token Securely
Never hardcode your access token directly into your application code. Instead, store it as an environment variable in a .env file that's excluded from version control:
# .env file example
SHOPIFY_ACCESS_TOKEN=shppa_1a2b3c4d5e6f7g8h9i0j
SHOPIFY_STORE_NAME=mystore
SHOPIFY_API_VERSION=2026-01
Step 8: Test Your Access Token
Verify your token works by making a test API call. Use the following curl example to retrieve basic shop information:
curl -X GET "https://mystore.myshopify.com/admin/api/2026-01/shop.json" \
-H "X-Shopify-Access-Token: shppa_1a2b3c4d5e6f7g8h9i0j" \
-H "Content-Type: application/json"
If successful, you'll receive a JSON response with your store's information. A 401 error indicates an invalid token, while a 403 error suggests insufficient scopes.
Step 9: Implement Token Rotation (Best Practice)
For security, plan to rotate your access tokens periodically. Shopify recommends regenerating tokens every 90 days or immediately if you suspect compromise. Document when tokens were created and establish a rotation schedule.
Using GetShopifyToken (Faster Method)
If the manual process seems complex or time-consuming, https://getshopifytoken.com provides an automated solution that streamlines token generation. This service handles the technical complexity, allowing developers to obtain valid access tokens quickly without navigating multiple Shopify admin screens. It's particularly useful for teams managing multiple Shopify stores or developers new to the Shopify platform.
The service integrates seamlessly with your workflow, reducing setup time from minutes to seconds while maintaining security standards and proper scope management.
Common Issues
- 401 Unauthorized Error: Your access token is invalid, expired, or incorrectly formatted. Verify you've copied the complete token without extra spaces and check that you're using the correct API version.
- 403 Forbidden Error: Your token lacks the necessary scopes for the requested operation. Return to your app settings and add the required permissions, then regenerate your token.
- Token Accidentally Exposed: If your token is visible in public repositories or logs, immediately regenerate it from the Shopify admin. Delete any exposed versions to prevent unauthorized API access.
- API Version Mismatch: Ensure you're using a supported API version. Shopify deprecates older versions, so verify compatibility in your API requests.
- Scope Changes Not Reflecting: After modifying scopes, you must regenerate your access token. Simply saving scope changes without generating a new token won't update permissions.
- Rate Limiting Issues: If you exceed API rate limits, implement exponential backoff in your retry logic and consider upgrading your Shopify plan for higher limits.
Related Guides
- Using Shopify GraphQL Admin API with Your Access Token
- Managing Multiple Store Tokens Securely Across Environments
- Integrating Shopify API with Third-Party Applications and Webhooks
Frequently Asked Questions
Q: How long do Shopify access tokens remain valid?
Access tokens don't expire automatically, but Shopify requires you to refresh them periodically for security purposes. Best practices recommend regenerating tokens every 90 days. However, if a token is compromised, you should regenerate it immediately. Always monitor your API activity for suspicious patterns.
Q: Can I use the same access token for multiple applications?
While technically possible, it's not recommended from a security perspective. Instead, create separate tokens for different applications and use cases. This approach allows you to revoke individual tokens without affecting other integrations if a breach occurs.
Q: What's the difference between custom app tokens and private app tokens?
In 2026, Shopify has unified much of this terminology. Custom apps are the modern approach for private use on your own store, replacing the older "private app" designation. These tokens are designed for store owners integrating with internal tools or third-party services, not for public distribution on the Shopify App Store.