How to Get a Shopify Access Token for Admin API Integration
In 2026, integrating with the Shopify Admin API has become essential for developers and merchants looking to automate workflows, build custom applications, and streamline their e-commerce operations. However, before you can access Shopify's powerful API endpoints, you'll need an access token—a secure credential that authenticates your requests and grants you specific permissions to manage your store's data.
This comprehensive guide walks you through the exact process of obtaining a Shopify access token, understanding API scopes, and troubleshooting common issues. Whether you're building a custom app, connecting third-party integrations, or automating store management, you'll find everything you need to get started with the Shopify Admin API.
What You Need
- A Shopify store (any plan level: Basic, Shopify, Advanced, or Plus)
- Admin access to your Shopify store (full permissions required to create apps)
- A web browser to access the Shopify Admin dashboard
- Basic understanding of API concepts and REST/GraphQL protocols
- A text editor or IDE for storing and managing your access token securely
- SSL/HTTPS enabled for your application (required by Shopify)
- Knowledge of your store's URL in format: [store-name].myshopify.com
- Optional: A version control system (Git) for managing API credentials safely
Required API Scopes
API scopes define what permissions your app has within Shopify. When creating an access token, you'll specify which scopes your application needs. Here are the most common scopes for 2026:
| Scope | What It Allows |
|---|---|
| read_products | Read access to product data including titles, descriptions, prices, and variants. Essential for apps displaying or analyzing product information. |
| write_products | Full write access to create, update, and delete products and their variants. Required for inventory management and product automation tools. |
| read_orders | Read access to order information including customer details, line items, and order history. Necessary for order tracking and analytics apps. |
| write_orders | Write access to modify orders, create refunds, and manage fulfillment. Critical for order management and fulfillment automation applications. |
| read_customers | Read access to customer data including names, email addresses, phone numbers, and purchase history. Used by CRM and email marketing integrations. |
Step-by-Step Guide
Follow these steps to generate your Shopify Admin API access token:
- Log in to Your Shopify Admin Dashboard
Navigate to https://[your-store-name].myshopify.com/admin and log in with your admin credentials. You'll be taken to the main dashboard where you can manage all aspects of your store.
- Navigate to Apps and Integrations
In the left sidebar, click "Apps and integrations" (or "Apps" depending on your admin layout). This section houses all your store's installed apps and custom app settings.
- Access the App and Sales Channel Settings
Look for "App and sales channel settings" at the top of the Apps and integrations page. Click this option to access advanced settings where you can create custom apps.
- Create a New App
Click the "Create an app" button. A modal window will appear asking you to name your application. Enter a descriptive name (e.g., "Inventory Sync Tool" or "Order Automation App") and click "Create app".
- Configure Admin API Scopes
Once your app is created, navigate to the "Configuration" tab. Under "Admin API scopes," you'll see a list of available permissions. Select only the scopes your application requires. For example, if you're building an order management tool, select "read_orders" and "write_orders". Be conservative with permissions—only request what you need.
- Save Your Configuration
After selecting your required scopes, click "Save" at the bottom of the page. Shopify will update your app configuration with the new permissions.
- Generate Your Access Token
Navigate to the "API credentials" tab. Here you'll find your API Key and API Secret. Scroll down to find the "Admin API access token" section and click "Install app" or "Reveal token" (depending on whether this is your first time generating credentials). Shopify will display your access token—this is a long string of characters that looks something like this:
shpat_abcdef123456789ghijklmnop0987654321⚠️ Important: Copy this token immediately and store it in a secure location. Shopify will not show it again, and you'll need to regenerate it if you lose it.
- Store Your Token Securely
Never commit your access token to version control, hardcode it in your application, or share it publicly. Instead, store it as an environment variable or in a secure secrets management system. Here's how to use it in a typical API request:
curl -X GET "https://[your-store-name].myshopify.com/admin/api/2026-01/products.json" \ -H "X-Shopify-Access-Token: shpat_abcdef123456789ghijklmnop0987654321" \ -H "Content-Type: application/json"In this example, replace `[your-store-name]` with your actual store name and use your generated access token in the `X-Shopify-Access-Token` header.
- Test Your Access Token
To verify your token works, make a simple API request to retrieve your shop information:
curl -X GET "https://[your-store-name].myshopify.com/admin/api/2026-01/shop.json" \ -H "X-Shopify-Access-Token: shpat_abcdef123456789ghijklmnop0987654321"If successful, you'll receive a JSON response containing your store details. If you receive a 401 Unauthorized error, double-check that your token is correct and hasn't expired.
- Implement in Your Application
Use your access token in your application code by reading it from environment variables. For example, in Node.js:
const accessToken = process.env.SHOPIFY_ACCESS_TOKEN; const storeName = process.env.SHOPIFY_STORE_NAME; const shopifyUrl = `https://${storeName}.myshopify.com/admin/api/2026-01`; const headers = { 'X-Shopify-Access-Token': accessToken, 'Content-Type': 'application/json' }; // Make your API calls using these headers
Using GetShopifyToken (Faster Method)
While the manual process above is straightforward, it involves multiple steps and careful configuration. For developers and merchants who want to streamline this process, getshopifytoken.com offers an automated solution that generates your Shopify Admin API access token in minutes without navigating through the dashboard.
GetShopifyToken handles the technical setup, API scope selection, and token generation, reducing setup time from 15-20 minutes to just a few clicks. This is particularly useful if you're managing multiple stores or frequently creating temporary API credentials for testing and development purposes.
Common Issues
- 401 Unauthorized Error: Your access token is invalid, expired, or incorrectly formatted. Verify you've copied the complete token and that it's included in the correct header ("X-Shopify-Access-Token"). If the token is old, regenerate a new one from your app's API credentials page.
- Insufficient Scopes Error (403 Forbidden): Your access token doesn't have permission to perform the requested action. Return to your app's Configuration tab, add the necessary scopes, save, and regenerate your access token.
- Rate Limiting (429 Too Many Requests): You've exceeded Shopify's API rate limits. Implement exponential backoff in your application and reduce the frequency of your requests. Shopify allows 2 requests per second for most endpoints.
- Token Not Displaying After Generation: This is normal behavior for security reasons. If you didn't copy your token, you must click "Rotate credentials" to generate a new one. The old token will be invalidated.
- App Installation Failed: Ensure you have full admin permissions on your Shopify store. Custom app creation is disabled on stores with restricted admin access.
- HTTPS Connection Required: Shopify only accepts API requests over HTTPS. If you're testing locally, use an HTTPS tunnel service like ngrok or localtunnel.
- Store URL Format Error: Always use the format `[store-name].myshopify.com`. Don't use custom domains in API URLs unless you're specifically working with a custom domain store.
Related Guides
- How to Use Shopify GraphQL Admin API with Access Tokens
- Shopify API Rate Limiting: Best Practices and Solutions
- Securing Your Shopify API Credentials in 2026
Frequently Asked Questions
Q: How long does a Shopify access token last?
Access tokens for custom apps remain valid indefinitely until you manually revoke them or rotate your credentials. However, we recommend rotating your credentials regularly (every 90 days) as a security best practice. Unlike OAuth tokens that may expire, custom app tokens persist until explicitly invalidated.
Q: Can I use the same access token for multiple applications?
Technically yes, but it's not recommended. Each application should have its own dedicated access token with only the scopes it requires. This follows the principle of least privilege and makes it easier to revoke access if a particular app is compromised or no longer needed. Creating separate tokens also improves security auditing and monitoring.
Q: What's the difference between API Key, API Secret, and Access Token?
The API Key and API Secret are OAuth credentials used for public app distribution through the Shopify App Store. The Access Token is used for custom (private) apps and is what you include in API requests. For building custom apps or direct API integrations, you'll primarily work with the Access Token and include it in the X-Shopify-Access-Token header.