```html

How to Get a Shopify Access Token for App Development

If you're building a Shopify app or integrating with the Shopify platform, obtaining an access token is one of the most critical steps in your development workflow. An access token is a secure credential that allows your application to authenticate with Shopify's API and perform authorized actions on behalf of a merchant's store. In 2026, the process has become more streamlined, but understanding each step remains essential for developers of all skill levels.

This comprehensive guide will walk you through everything you need to know about getting a Shopify access token, whether you're building a custom app, creating a public marketplace app, or integrating with Shopify's Admin API.

What You Need

• A Shopify Partner account (free to create at partners.shopify.com)
• Access to a development store or test store
• Basic understanding of API authentication and OAuth 2.0
• Your app's API credentials (API Key and API Secret)
• A secure backend server (for public apps using OAuth)
• HTTPS-enabled redirect URI for OAuth callback handling
• Administrative access to your Shopify store
• Knowledge of cURL, Postman, or similar API testing tools (optional but helpful)

Understanding Shopify Access Tokens

Before diving into the technical process, it's important to understand that Shopify offers two primary methods for obtaining access tokens:

Custom App Tokens: These are ideal for private apps or integrations specific to a single store. They're the quickest way to get started and don't require user authentication.

OAuth 2.0 Tokens: These are necessary for public apps that will be distributed across multiple stores. They follow the OAuth 2.0 protocol and require merchant authorization.

Required API Scopes

API scopes define what permissions your access token has. Requesting only the scopes your app actually needs is a security best practice. Here are common scopes you'll encounter:

Scope	What It Allows
read_products	Read access to all product data including titles, descriptions, and pricing
write_products	Ability to create, update, and modify product information in the store
read_orders	Read access to order information, including order details and customer data
write_orders	Ability to create, update, and fulfill orders programmatically
read_customers	Read access to customer information, addresses, and account details
write_inventory	Ability to manage inventory levels and stock adjustments

Step-by-Step Guide

Method 1: Getting a Token for a Custom App (Fastest)

Step 1: Log In to Your Shopify Partner Dashboard

Navigate to partners.shopify.com and sign in with your Partner account credentials. If you don't have a Partner account yet, you'll need to create one—it's completely free and takes just a few minutes.

Step 2: Create or Select Your Development Store

In the Partner dashboard, go to "Stores" and either create a new development store or select an existing one. Development stores are sandbox environments perfect for testing. Choose a store name that clearly indicates it's for development purposes.

Step 3: Access the App Setup Section

Once inside your development store, navigate to Settings > Apps and Integrations > App and Integration Settings. From here, you'll see options for managing API credentials and creating custom apps.

Step 4: Create a Custom App

Click on "Create an App" or "Develop Apps" depending on your dashboard version. Select "Create App" and choose "Custom app" from the available options. Give your app a descriptive name that reflects its purpose (e.g., "Inventory Sync Tool" or "Order Export App").

Step 5: Configure API Scopes

In the Admin API section, carefully select only the scopes your application requires. Be restrictive here—requesting excessive permissions can be a security risk and may concern users. For example, if you only need to read products, don't request write access. Your selection might look like this if you're building an inventory management tool:

Required Scopes:
- read_products
- read_inventory
- write_inventory
- read_locations

Step 6: Generate Your Access Token

After configuring your scopes, click "Save" and then "Reveal" next to the Admin API access token. This token is a long alphanumeric string that you should copy and store securely. Shopify will only show this token once, so save it immediately in a secure location like an environment variable or secrets manager.

Step 7: Test Your Token

To verify your token works, you can make a test API call. Open your terminal or API client and execute the following cURL command, replacing the placeholder values:

curl -X GET "https://your-store-name.myshopify.com/admin/api/2024-01/products.json" \
  -H "X-Shopify-Access-Token: shpat_your_access_token_here" \
  -H "Content-Type: application/json"

If the request returns product data from your store, your token is working correctly. If you receive a 401 error, double-check that the token is complete and hasn't been accidentally modified.

Method 2: Getting a Token via OAuth 2.0 (For Public Apps)

Step 1: Create a Public App in Your Partner Dashboard

In the Partner dashboard, go to "Apps" > "Create App" > select "Public App." Fill in your app name and choose the type of app you're building (e.g., sales channel, marketing app, etc.).

Step 2: Configure API Credentials

Navigate to Configuration and copy your API Key and API Secret. You'll need both of these for the OAuth flow. Also, set your "App URL" and "Redirect URL." The redirect URL is critical—this is where Shopify will send the authorization code after a merchant approves your app.

Step 3: Build Your OAuth Authorization Flow

When a merchant installs your app, you'll redirect them to Shopify's authorization endpoint. Here's an example redirect URL your app should generate:

https://your-store.myshopify.com/admin/oauth/authorize?
client_id=YOUR_API_KEY&
scope=read_products,write_orders&
redirect_uri=https://yourapp.com/auth/callback&
state=random_state_string

Step 4: Handle the Authorization Code

After the merchant authorizes, Shopify redirects them back to your redirect_uri with an authorization code. Your backend should capture this code and immediately exchange it for an access token using a POST request:

curl -X POST "https://your-store.myshopify.com/admin/oauth/access_token" \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "your_api_key",
    "client_secret": "your_api_secret",
    "code": "authorization_code_from_shopify"
  }'

The response will contain your access token, along with its expiration details and approved scopes.

Step 5: Store the Token Securely

Never store access tokens in plain text or client-side code. Use encrypted databases, environment variables, or dedicated secrets management services. Always transmit tokens over HTTPS only.

Using GetShopifyToken (Faster Method)

If you want to skip the manual setup and get your Shopify access token quickly, consider using GetShopifyToken. This service automates the token generation process, handling OAuth flows and scope management without requiring you to manually configure API credentials or build authorization flows. It's particularly useful if you're integrating with multiple stores or need tokens on demand. Simply visit https://getshopifytoken.com, connect your store, and receive your access token in seconds.

Best Practices for Managing Your Access Token

• Rotate Tokens Regularly: Even though Shopify tokens don't expire by default, rotate them periodically as a security measure.
• Use Environment Variables: Never hardcode tokens in your source code. Use environment variables or configuration files that aren't committed to version control.
• Implement Token Encryption: If storing tokens in a database, encrypt them using strong encryption algorithms.
• Monitor Token Usage: Regularly review your app's API activity in the Shopify Partner dashboard to detect unusual behavior.
• Revoke Unused Tokens: If you create multiple tokens for testing, delete the ones you're not using.
• Use Minimal Scopes: Request only the permissions your app actually needs.

Common Issues

• 401 Unauthorized Error: Your access token is missing, incorrect, or has been revoked. Verify the token is complete and properly formatted in the X-Shopify-Access-Token header.
• 403 Forbidden Error: Your token doesn't have the required scope for that API endpoint. Check your token's scopes and add any missing ones.
• Token Not Appearing: Refresh your browser or log out and back into the Partner dashboard. Sometimes the dashboard needs to be refreshed to display newly generated tokens.
• OAuth Redirect Not Working: Ensure your redirect URL exactly matches the one configured in your app settings, including the protocol (https://) and trailing slashes.
• Rate Limit Errors (429): You're making too many API requests. Implement exponential backoff and respect Shopify's rate limits (typically 2 requests per second for most endpoints).
• Invalid Scope Name: Double-check the exact spelling of your requested scopes. Shopify is case-sensitive and uses underscores, not hyphens.
• Store Not Found: If you're building for a specific store, verify the store URL format. Development stores typically end in .myshopify.com.

Related Guides

• How to Use the Shopify GraphQL Admin API with Your Access Token
• Shopify API Rate Limits and How to Optimize Your Requests
• Building Your First Shopify App: A Complete 2026 Developer Guide
• Shopify OAuth 2.0: Security Best Practices for Token Management

Frequently Asked Questions

Q: Do Shopify access tokens expire?

By default, Shopify access tokens do not expire. However, they can be revoked by the merchant at any time through the Shopify admin, or they may be invalidated if the app is uninstalled. It's best to implement logic in your application to handle token revocation gracefully.

Q: Can I use the same access token for multiple stores?

No. Each access token is specific to a single store and API version. If you're building an app for multiple stores, you'll need to obtain and securely store a separate token for each store. This is handled automatically through the OAuth flow when merchants install your public app.

Q: What's the difference between API Key and Access Token?

An API Key (along with API Secret) is used in the OAuth flow to request an access token. The access token itself is what you use in actual API requests. Think of the API Key as your application's identity, and the access token as a temporary credential that grants permission to act on behalf of a store.

Q: Is it safe to share my access token in code repositories?

Absolutely not. Your access token should be treated like a password. Never commit it to version control, never share it publicly, and never include it in client-side code. Always use environment variables or secure secrets management systems.

Q: How do I know which scopes I need for my app?

Review the Shopify API documentation for the specific endpoints you plan to use. Each endpoint documentation page lists which scopes are required. Start with the minimum necessary scopes and only add more if your app functionality requires them. Remember that more scopes mean more permissions, which can concern merchants installing your app.

Q: Can I have multiple access tokens for the same store?

Yes. You can create multiple custom app tokens for a single store, or a merchant can install multiple public apps (each with their own token). However, it's generally cleaner to use a single token per integration unless you have a specific reason to separate concerns.