```html

How to Get a Shopify Access Token for Custom Apps in 2026

Getting a Shopify access token is essential for developers who want to build custom applications, integrate third-party tools, or automate workflows on their Shopify store. Whether you're creating a private app for internal use or developing a public app for the Shopify App Store, understanding how to obtain and manage access tokens is critical for secure API integration.

In 2026, Shopify has streamlined the token generation process while maintaining robust security standards. This comprehensive guide walks you through every step of obtaining your Shopify access token, from initial setup to successful API authentication.

What You Need

• A Shopify store (any plan: Basic, Shopify, Advanced, or Plus)
• Access to your Shopify Admin dashboard with owner or staff permissions
• Administrator privileges to create and manage custom apps
• A development environment or application to test the token (IDE, REST client, or terminal)
• Knowledge of basic API concepts and authentication methods
• Your store's Shopify domain (e.g., mystore.myshopify.com)
• An understanding of OAuth 2.0 or API key authentication (depending on your use case)
• SSL/TLS certificate for secure HTTPS connections

Required API Scopes

API scopes define what permissions your access token has. Requesting the minimum required scopes is a security best practice. Here are the most common scopes you'll need:

Scope	What It Allows
read_products	Read access to product data, including titles, descriptions, prices, and variants
write_products	Create, update, and delete products and their variants
read_orders	Access to order information, customer details, and order status
write_orders	Modify orders, create fulfillments, and update order notes
read_customers	Retrieve customer profiles, addresses, and purchase history
write_customers	Create and update customer information

Step-by-Step Guide

Step 1: Log in to Your Shopify Admin

First, navigate to your Shopify Admin dashboard by going to https://admin.shopify.com and logging in with your credentials. Ensure you have owner or administrator permissions to create custom apps.

Step 2: Navigate to Custom Apps Section

In the Shopify Admin, click on "Settings" in the bottom left corner of the sidebar. From the settings menu, select "Apps and integrations." This section displays all installed apps and provides options to create new custom apps.

Step 3: Create a New Custom App

Click the "Create an app" button in the top right corner. You'll be prompted to name your app. Choose a descriptive name that reflects your app's purpose, such as "Inventory Sync Tool" or "Order Management System." Add a brief description of what your app does, then click "Create app."

Step 4: Configure Admin API Scopes

Once your app is created, navigate to the "Configuration" tab. Under "Admin API scopes," review the list of available permissions. Select only the scopes your application actually needs. For example, if you're only syncing inventory, select read_products and write_products. Avoid requesting unnecessary scopes, as this reduces security risks. Save your configuration changes.

Step 5: Generate and Retrieve Your Access Token

Go to the "API credentials" tab. You'll see a button labeled "Install app" or "Reinstall app." Click this button to generate your access token. Shopify will display your access token only once. Copy it immediately and store it securely—you won't be able to view it again.

Additionally, note your API key and API secret from this same page. These credentials, along with your access token, are essential for API authentication.

Step 6: Test Your Access Token

With your access token in hand, test it using a simple API call. Open your terminal or REST client and execute the following curl command, replacing the placeholders with your actual values:

curl -X GET "https://mystore.myshopify.com/admin/api/2026-01/shop.json" \
  -H "X-Shopify-Access-Token: your_access_token_here" \
  -H "Content-Type: application/json"

If successful, you'll receive a JSON response containing your shop's basic information. This confirms your access token is valid and properly configured.

Step 7: Implement Token in Your Application

Now that you've verified your token works, integrate it into your application. Store the token securely in an environment variable or secure configuration file—never hardcode it directly in your source code. Here's an example using Node.js:

const accessToken = process.env.SHOPIFY_ACCESS_TOKEN;
const shop = 'mystore.myshopify.com';

const headers = {
  'X-Shopify-Access-Token': accessToken,
  'Content-Type': 'application/json'
};

fetch(`https://${shop}/admin/api/2026-01/orders.json`, { headers })
  .then(response => response.json())
  .then(data => console.log(data))
  .catch(error => console.error('Error:', error));

Step 8: Manage and Rotate Your Token (When Needed)

Periodically review your custom app's access token for security purposes. If you suspect your token has been compromised, regenerate it immediately. In the "API credentials" tab, click "Reinstall app" to generate a new token. The old token becomes invalid immediately, preventing unauthorized access.

Using GetShopifyToken (Faster Method)

While the manual process outlined above is straightforward, developers often prefer faster alternatives that automate setup and token generation. GetShopifyToken (available at https://getshopifytoken.com) streamlines the entire process.

Instead of navigating multiple Shopify Admin screens and manually copying credentials, GetShopifyToken provides a simplified interface that guides you through token creation in minutes. The platform handles scope configuration, app creation, and token retrieval automatically, reducing potential errors and setup time. For developers managing multiple Shopify stores or frequently creating custom apps, this automation saves significant time while maintaining security standards.

Common Issues

• 401 Unauthorized Error: This typically means your access token is missing, expired, or invalid. Verify you've copied the token correctly and that it hasn't been regenerated since you last used it.
• 403 Forbidden Error: You lack the required API scopes for the requested action. Review your custom app's configuration and add any missing scopes, then regenerate your token.
• Token Not Displaying: Shopify only displays the token immediately after generation. If you missed copying it, regenerate the token by clicking "Reinstall app" to get a new one.
• Scope Limitations: If your app can't perform certain actions, you may not have requested the correct scopes. Update your app's scopes in the Configuration tab and reinstall to refresh your token.
• CORS Errors in Browser Applications: Shopify's API doesn't support browser-based requests directly. Use a backend server or serverless function to handle API calls and proxy requests from your frontend.
• Rate Limiting: If you exceed Shopify's API rate limits, implement exponential backoff and retry logic in your application. Standard plans allow 2 requests per second.
• Store Access Revoked: If the app creator's store access changes, the access token becomes invalid. Ensure your store permissions remain active.

Related Guides

• How to Use Shopify Admin API for Product Management
• Shopify OAuth 2.0 Implementation Guide for Public Apps
• Securing Shopify API Credentials: Best Practices for 2026
• Shopify GraphQL API: Authentication and Query Examples

Frequently Asked Questions

Q: What's the difference between a custom app and a public app on Shopify?

A custom app is created for a specific store and uses a simple access token for authentication. It's ideal for internal integrations and automations. A public app is listed on the Shopify App Store and uses OAuth 2.0 authentication, allowing multiple merchants to install it. Public apps require additional security measures and must go through Shopify's app review process.

Q: Can I use the same access token across multiple Shopify stores?

No. Each Shopify store generates its own unique access token. If you manage multiple stores, you'll need to create separate custom apps on each store and obtain individual access tokens for each one. Your application can then switch between tokens based on which store is being accessed.

Q: How often should I regenerate my access token for security?

There's no fixed rotation schedule required by Shopify. However, security best practices recommend regenerating your token if you suspect a breach, change your development team, or migrate to a new environment. Regular token rotation (every 6-12 months) is also recommended for high-security applications.

Q: What should I do if my access token is accidentally exposed in public code?

Immediately regenerate your token by clicking "Reinstall app" in the API credentials tab. The exposed token becomes invalid instantly. Review your Git history and remove any commits containing the token, then use a tool like BFG Repo-Cleaner to purge it from your repository history.

Q: Can I generate an access token without creating a custom app?

In 2026, access tokens specifically require creating a custom app or public app. There's no way to generate a token without establishing an app context first. This requirement ensures all API access is trackable and can be easily revoked if needed.