How to Get a Shopify Access Token for Custom App Development
If you're building a custom application that integrates with Shopify, obtaining an access token is one of the most critical steps in the process. A Shopify access token authenticates your app and grants it permission to access specific store data and perform actions on behalf of your merchant. In 2026, the process remains relatively straightforward, though Shopify has continued to enhance security measures and scope requirements.
This comprehensive guide will walk you through everything you need to know about getting a Shopify API token, from prerequisites to troubleshooting common issues.
What You Need
- A Shopify store (development, plus, or higher plan)
- Admin access to your Shopify store
- Access to the Shopify Admin dashboard
- Clear understanding of which API scopes your app requires
- A valid callback URL for OAuth redirect (if using public apps)
- Basic understanding of REST APIs and authentication
- A development environment ready to test API calls
Required API Scopes
Before generating your token, you need to understand and declare the scopes your application requires. Scopes define what data and actions your app can access. Requesting only the scopes you need follows the principle of least privilege, enhancing security for store owners.
| Scope | What It Allows |
|---|---|
| read_products | Read product data including titles, descriptions, images, and pricing information |
| write_products | Create, update, and delete products in the store |
| read_orders | Access order data including customer information, line items, and fulfillment status |
| write_orders | Modify orders, including updating order status and adding notes |
| read_customers | View customer profiles, contact information, and purchase history |
Step-by-Step Guide
Step 1: Log in to Your Shopify Admin Dashboard
Begin by navigating to your Shopify store's admin dashboard. You'll need admin-level permissions to create custom apps and generate access tokens. Visit https://[your-store].myshopify.com/admin and log in with your credentials.
Step 2: Navigate to Apps and Integrations
In the admin sidebar, locate and click on Apps and integrations. This section is your central hub for managing all apps connected to your Shopify store. In 2026, this menu structure may appear under "Settings" or directly in the main navigation depending on your admin layout version.
Step 3: Access the Apps and Sales Channels Section
Look for the Apps and sales channels option in the left sidebar. Click on it to expand the menu. You should see several options including "Manage apps and channels" and "Develop apps."
Step 4: Click "Develop Apps"
Within the Apps and sales channels section, find and click Develop apps. This option may also appear as "App development" depending on your Shopify version. This area allows you to create and manage custom apps for your store.
Step 5: Create a New Custom App
If you haven't already created a custom app, click the "Create an app" button. A modal dialog will appear prompting you to enter an app name. Choose a descriptive name that reflects your app's purpose, such as "Inventory Sync Tool" or "Order Analytics Dashboard." Click "Create app" to proceed.
Step 6: Configure Your App's Scopes
Once your app is created, you'll be taken to the app's configuration page. Look for the Admin API access scopes section. Here, you'll need to select the specific scopes your application requires. For example, if you're building an inventory management tool, you'd select read_products and write_products. Be selective—only choose scopes your app genuinely needs.
After selecting your scopes, click "Save". Shopify will require you to confirm the scopes you've selected, emphasizing the importance of security and data protection.
Step 7: Generate Your Access Token
Navigate to the Admin API access tokens section on your app's configuration page. You'll see a section labeled Access tokens with a button to generate a token. Click the "Generate token" button. Shopify will create a unique, encrypted token for your app.
Important: Copy this token immediately and store it securely. Shopify will never display this token again—if you lose it, you'll need to regenerate a new one.
Step 8: Verify Your Token Works
Test your token by making a sample API call. Here's how you can verify it using curl:
curl -X GET "https://[your-store].myshopify.com/admin/api/2025-10/products.json" \
-H "X-Shopify-Access-Token: [YOUR_ACCESS_TOKEN]" \
-H "Content-Type: application/json"Replace [your-store] with your actual Shopify store name and [YOUR_ACCESS_TOKEN] with the token you just generated. If the request returns product data from your store, your token is working correctly.
Step 9: Store Your Token Securely
Never hardcode your access token directly in your application code. Instead, store it as an environment variable using a .env file (for local development) or your hosting platform's secrets management system (for production). Here's an example using Node.js and dotenv:
// .env file
SHOPIFY_ACCESS_TOKEN=shpua_1234567890abcdef1234567890abcdef
// In your application
require('dotenv').config();
const accessToken = process.env.SHOPIFY_ACCESS_TOKEN;Using GetShopifyToken (Faster Method)
While the manual process above works well, it involves navigating multiple menus and understanding API scopes. If you want to streamline this process, GetShopifyToken at getshopifytoken.com automates much of this workflow. The platform guides you through token generation with an intuitive interface, handles scope selection intelligently, and provides secure token storage recommendations. For developers managing multiple Shopify stores or building applications frequently, this service can save significant time and reduce configuration errors.
Common Issues
- Token Not Displaying: If your token doesn't appear after generation, refresh the page or try generating a new one. Clear your browser cache if the issue persists.
- Invalid Token Errors: Ensure you've copied the entire token string without extra spaces. Even a single character difference will invalidate the token.
- Permission Denied Errors: Verify that the scopes you requested include the permissions needed for your API calls. Add any missing scopes and regenerate your token.
- 401 Unauthorized Responses: This typically indicates an expired or revoked token. Generate a new token and update your application configuration.
- Rate Limiting Issues: Shopify limits API calls to 2 calls per second (standard) or 4 calls per second (plus plan). If you're hitting rate limits, implement request queuing or caching strategies.
- Token Lost or Forgotten: If you lose your token, you cannot retrieve it. You must generate a new one by clicking the "Revoke" button and creating a fresh token.
- Scope Changes Not Reflected: After modifying scopes, you must regenerate your token for the new scopes to take effect.
Related Guides
- Understanding Shopify OAuth Flow for Public Apps
- Managing Shopify API Rate Limits in 2026
- Setting Up Shopify Webhooks for Real-Time Data Sync
Frequently Asked Questions
Q: How long do Shopify access tokens remain valid?
Shopify access tokens issued to custom apps do not expire automatically. They remain valid until you explicitly revoke them in the admin dashboard or until your app is deleted. However, store owners can revoke access at any time, and you should implement error handling for 401 responses to gracefully manage token revocation.
Q: Can I have multiple access tokens for the same app?
No, each custom app can only have one active access token at a time. If you generate a new token, the previous token is automatically revoked. This design ensures security and simplifies token management.
Q: What's the difference between custom app tokens and public app tokens?
Custom app tokens are generated within a specific store's admin and provide direct access for private integrations. Public app tokens use OAuth 2.0 authentication, where users authorize your app and you exchange authorization codes for tokens. Custom apps are ideal for store-specific tools, while public apps are for solutions sold to multiple merchants.