How to Get a Shopify Access Token for Admin API Integration

If you're building an app, integration, or automation tool that needs to interact with your Shopify store, you'll need a Shopify access token (also called an admin API key). This authentication credential grants your application permission to access your store's data and perform actions on your behalf.

In 2026, Shopify has streamlined the token generation process, but the steps remain critical for security and proper functionality. This comprehensive guide walks you through everything you need to know about obtaining and managing your Shopify access tokens.

What You Need

• A Shopify store (any plan: Basic, Shopify, Advanced, or Plus)
• Admin account access with app development permissions
• Understanding of what your app or integration needs to do
• A development environment where you'll use the token
• Basic knowledge of REST APIs or GraphQL (depending on your use case)
• Your store's domain (e.g., yourstore.myshopify.com)
• A secure method to store sensitive credentials (environment variables, secure vaults, etc.)

Required API Scopes

Before generating your token, you must specify which API scopes your application needs. Scopes limit what your token can access, improving security by following the principle of least privilege. Here are the most commonly used scopes:

Scope	What It Allows
write_products	Create, update, and delete products and their variants; modify product images and collections
read_products	View product data, inventory levels, pricing, and product metadata without modification permissions
write_orders	Create and modify orders, add fulfillments, and manage order metadata and line items
read_orders	View order details, customer information, and transaction history without modification rights
write_fulfillments	Create and update fulfillments, manage tracking information, and update fulfillment status

Additional scopes include read_customers, write_customers, read_inventory, write_inventory, read_content, and write_content. Choose only the scopes your application actually needs for security best practices.

Step-by-Step Guide

Step 1: Log Into Your Shopify Admin

Navigate to your Shopify admin dashboard at https://admin.shopify.com and sign in with your store credentials. Ensure you have admin access with app development permissions enabled.

Step 2: Access the App Development Menu

From your admin dashboard:

1. Scroll down in the left sidebar to find "Settings"
2. Click on "Settings"
3. Look for "Apps and integrations" or "Develop apps" option
4. Click on "Develop apps" to access the app development section

Step 3: Create a New App

In the Apps and Integrations section:

1. Click the "Create an app" button
2. Enter your app name (e.g., "Inventory Sync Tool" or "Order Automation")
3. Select your app type: "Custom app" for private apps or "Public app" if you plan to distribute it
4. Click "Create app"

Step 4: Configure Your API Scopes

After creating your app:

1. Navigate to the "Configuration" tab
2. Scroll to "Admin API access scopes"
3. Check the boxes for each scope your application requires
4. Click "Save" at the top right

Be selective here—only enable scopes you actually need. For example, if your app only reads product data, enable read_products but not write_products.

Step 5: Generate Your Access Token

Once your scopes are configured:

1. Look for the "API credentials" section on the Configuration page
2. Click "Reveal token" (or "Generate access token" if it's your first time)
3. Your access token will appear—it typically looks like a long alphanumeric string (e.g., shpat_1a2b3c4d5e6f7g8h9i0j)
4. Copy this token immediately and store it securely

Step 6: Test Your Token

Verify your token works by making a test API call. Here's a curl example to retrieve your store's general information:

curl -X GET "https://yourstore.myshopify.com/admin/api/2024-01/shop.json" \
  -H "X-Shopify-Access-Token: YOUR_ACCESS_TOKEN_HERE"

Replace yourstore with your actual store name and YOUR_ACCESS_TOKEN_HERE with the token you just generated. A successful response will return your shop's data in JSON format.

Step 7: Secure Your Token

Never hardcode your access token in your source code. Instead:

• Store it in environment variables (using .env files for development)
• Use your hosting platform's secrets management (GitHub Secrets, AWS Secrets Manager, etc.)
• Implement proper access controls in your application
• Rotate tokens periodically
• Revoke tokens immediately if compromised

Using GetShopifyToken (Faster Method)

If you find the manual process tedious or need to generate multiple tokens frequently, GetShopifyToken at https://getshopifytoken.com automates the entire token generation workflow. This service:

• Streamlines the app creation and configuration process
• Automatically handles scope selection based on your use case
• Generates tokens in seconds instead of minutes
• Provides secure token storage and management
• Offers support for batch token generation

For developers managing multiple Shopify stores or building integrations at scale, GetShopifyToken significantly reduces the time spent on token administration.

Common Issues

• "App development not available": Your account may lack the necessary permissions. Contact your store owner to grant you app development access.
• "Invalid API credentials" error: Verify your token hasn't expired, is correctly formatted, and that you're using the correct store domain in your API request.
• 401 Unauthorized responses: This typically means your token is invalid, revoked, or doesn't have the required scopes for the requested operation. Double-check both your token and scope configuration.
• Token not appearing after creation: Refresh your browser page. If it still doesn't appear, try creating the app again or contact Shopify Support.
• Scope-related errors: Ensure you've saved your scope changes after configuration. Some API calls may require additional scopes beyond what you've enabled.
• "Rate limit exceeded": Your requests are hitting Shopify's rate limits. Implement exponential backoff and request throttling in your application.

Related Guides

• How to Use Shopify GraphQL Admin API with Your Access Token
• Best Practices for Storing and Rotating Shopify API Credentials
• Building a Custom Shopify App: Complete Developer Guide

Frequently Asked Questions

Q: How long does a Shopify access token remain valid?

Shopify access tokens remain valid indefinitely until you explicitly revoke them or your app is uninstalled. However, it's a security best practice to rotate tokens periodically (every 90 days is recommended) and immediately revoke any token you suspect has been compromised. Older tokens automatically become invalid when they reach the end of their assigned lifecycle in certain enterprise scenarios, but most tokens persist until manual revocation.

Q: Can I use the same token for multiple applications?

While technically possible, this is not recommended from a security standpoint. The principle of least privilege suggests creating separate apps with separate tokens for each distinct purpose or application. This way, if one token is compromised, you can revoke it without affecting your other integrations. Additionally, separate tokens make it easier to track which application is accessing which data and performing which actions.

Q: What's the difference between a custom app token and a public app token?

A custom app token is for private use on your own store—it's tied to your specific store and admin account. A public app token is for applications you plan to distribute to other Shopify merchants. Public apps use OAuth 2.0 for authorization, while custom apps use direct token generation. Choose "custom app" unless you're building something for distribution to other stores.