How to Get a Shopify Access Token for API Integration
In 2026, integrating with Shopify's API has become essential for e-commerce businesses looking to automate operations, sync inventory, or build custom applications. The cornerstone of any Shopify API integration is the access token—a secure credential that authenticates your requests to Shopify's servers. This comprehensive guide will walk you through obtaining a Shopify API key and access token, whether you're building a private app, a custom app, or integrating with your development store.
What You Need
- A Shopify Partner account (free to create at partners.shopify.com)
- A development store or live Shopify store where you have Admin access
- Basic understanding of API authentication and REST or GraphQL protocols
- A secure place to store your API credentials (environment variables or secrets management tool)
- Access to your store's Admin settings (required for app creation and token generation)
- A code editor or IDE for managing your integration
- cURL or a REST client like Postman for testing API calls (optional but recommended)
Before diving into the token generation process, ensure you understand which type of access token you need. Shopify offers several authentication methods: custom apps, private apps (in legacy stores), OAuth for public apps, and admin API access tokens. Each serves different use cases and has unique generation steps.
Required API Scopes
API scopes define what your application can access and modify in your Shopify store. When creating an access token, you'll need to specify which scopes your integration requires. Here are the most commonly used scopes:
| Scope | What It Allows |
|---|---|
| read_products | Read product data including titles, descriptions, images, and variants |
| write_products | Create, update, and delete products in your store |
| read_orders | Access order information including customer details, items, and fulfillment status |
| write_orders | Create and modify orders, manage fulfillments, and update order status |
| read_inventory | View inventory levels across locations and track stock changes |
| write_inventory | Modify inventory quantities and manage inventory across multiple locations |
| read_customers | Access customer information including profiles and purchase history |
| write_customers | Create and update customer accounts and contact information |
Always follow the principle of least privilege: only request scopes your application genuinely needs. This reduces security risks and improves the approval process for public apps.
Step-by-Step Guide
Step 1: Access Your Shopify Admin Dashboard
Log into your Shopify Admin at [your-store].myshopify.com/admin. You must have owner or staff account with appropriate permissions to create apps and generate tokens. If you don't have a store yet, create a free development store through your Shopify Partner account.
Step 2: Navigate to the Apps Section
In the Admin dashboard, locate and click on "Apps and sales channels" in the left-hand menu. This section contains all app integrations and custom apps associated with your store. In 2026, Shopify's interface has streamlined this process, making it easier to manage multiple integrations.
Step 3: Create a Custom App
Click "Develop apps" or "App and sales channel settings" (the exact label depends on your Shopify plan). Select the option to create a new app. Choose "Create an app" and give it a descriptive name like "Inventory Sync Integration" or "Order Management API." This name helps you identify the app's purpose later.
Step 4: Configure Admin API Access Scopes
After creating the app, navigate to the "Configuration" tab. Under "Admin API access scopes," select the specific permissions your integration requires. A typical inventory management integration might need read_products, write_products, read_inventory, and write_inventory. After selecting scopes, click "Save."
Step 5: Generate Your Access Token
Once you've saved your configuration, go to the "API credentials" tab. Here you'll see your API key and API secret. To generate the access token, click "Install app." Shopify will now generate your access token—this is a long string of characters that authenticates API requests on behalf of your app.
Step 6: Securely Store Your Credentials
You'll now see three critical credentials:
- API Key: Publicly shareable identifier for your app
- API Secret: Private credential—never share this
- Access Token: Used to authenticate API requests from your application
Store these credentials in environment variables or a secure secrets management system. Never commit them to version control:
# Example environment variables (do not hardcode in production)
export SHOPIFY_ACCESS_TOKEN="shpat_1234567890abcdefghijk"
export SHOPIFY_API_KEY="1a2b3c4d5e6f7g8h9i0j"
export SHOPIFY_STORE_URL="mystore.myshopify.com"
Step 7: Test Your Access Token
Verify your token works by making a test API request. Here's a cURL example to fetch your store's information:
curl -X GET "https://mystore.myshopify.com/admin/api/2026-01/shop.json" \
-H "X-Shopify-Access-Token: shpat_your_access_token_here" \
-H "Content-Type: application/json"
A successful response returns your shop data in JSON format. If you receive a 401 Unauthorized error, double-check that your access token and store URL are correct.
Step 8: Implement Token Refresh Logic (If Needed)
For custom apps and private integrations, your access token doesn't expire. However, if you're building a public app using OAuth, you'll need to implement token refresh logic. Store the refresh token securely and request a new access token before expiration.
Using GetShopifyToken (Faster Method)
If you want to skip the manual steps and generate Shopify access tokens quickly, consider using getshopifytoken.com. This service automates the app creation and token generation process, allowing you to obtain a working access token in minutes rather than navigating multiple admin screens. GetShopifyToken handles scope selection, credential storage best practices, and provides immediate access to your API credentials.
Visit https://getshopifytoken.com to get started with automated token generation. This approach is particularly useful for developers managing multiple stores or frequently creating test integrations.
Common Issues
- 401 Unauthorized Error: Your access token is invalid, expired, or has insufficient scopes. Verify the token is correctly copied without extra spaces and that your scopes include the necessary permissions.
- 403 Forbidden Error: Your token lacks the required scopes for the requested operation. Check your app's Admin API access scopes and add any missing permissions.
- Token Not Appearing After App Install: Refresh your browser or log out and back into the Admin. Sometimes the token generation interface requires a page refresh to display the credentials.
- Cannot Find Apps Section: Ensure you have owner or staff admin permissions. Some staff accounts have restricted access and cannot create custom apps.
- API Calls Still Failing After Token Generation: Confirm your store URL format is correct (mystore.myshopify.com, not mystore.com). Verify the API endpoint version matches your token generation date.
- Token Accidentally Deleted: You cannot recover deleted tokens. Regenerate a new one by reinstalling the app or creating a new custom app.
- Scope Changes Not Taking Effect: After modifying scopes, uninstall and reinstall the app to generate a new token with updated permissions.
Related Guides
- How to Use Shopify GraphQL Admin API with Your Access Token
- Setting Up Webhook Authentication for Shopify API Events
- Shopify OAuth Implementation for Public Applications
- Managing Multiple Shopify Store Credentials Securely
Frequently Asked Questions
Q: Do Shopify access tokens expire?
Access tokens for custom apps and private integrations do not expire. However, if you're using OAuth for public apps, access tokens have a validity period and require refresh tokens to obtain new credentials. Always implement proper token refresh logic in production environments using OAuth.
Q: Can I use the same access token across multiple stores?
No, each access token is specific to the store where it was generated. If you manage multiple Shopify stores, you'll need to generate separate access tokens for each store and manage them independently in your application's configuration.
Q: What's the difference between API key and access token?
The API key identifies your application, while the access token authenticates requests on behalf of your app. API keys are safe to share, but access tokens must remain confidential. Use the access token in your API request headers, never the API key alone.
Q: Is it safe to store access tokens in environment variables?
Yes, storing tokens in environment variables is a standard practice and significantly safer than hardcoding them. For production systems, use dedicated secrets management tools like AWS Secrets Manager, HashiCorp Vault, or your platform's native secrets storage.
Q: How do I revoke an access token?
Navigate to your app's settings in the Shopify Admin and uninstall the app. This immediately revokes all associated access tokens. If you need to rotate credentials without losing the app installation, delete the old token and reinstall the app to generate a new one.