How to Get a Shopify Access Token for App Development

Getting a Shopify access token is essential if you're building apps, integrations, or custom solutions that interact with Shopify stores. Whether you're a developer working on a private app, a custom integration, or a third-party application, understanding how to obtain and manage your OAuth token is crucial for secure API access.

In 2026, Shopify's authentication process has evolved to prioritize security and developer experience. This comprehensive guide will walk you through everything you need to know about obtaining a Shopify OAuth token, from prerequisites to troubleshooting common issues.

What You Need

• A Shopify Partner account (free to create at partners.shopify.com)
• A development or test Shopify store
• An app created in your Shopify Partner dashboard
• A server or local development environment to handle OAuth callbacks
• HTTPS-enabled redirect URI (required for security)
• Basic understanding of OAuth 2.0 protocol
• Postman, cURL, or another API testing tool (optional but helpful)
• Your app's API key and API secret credentials

Required API Scopes

API scopes define what data and actions your app can access. You must request the appropriate scopes when obtaining your token. Here are the most commonly used scopes:

Scope	What It Allows
read_products	Read product data, including titles, descriptions, prices, and variants
write_products	Create, update, and delete products in the store
read_orders	Access order information, customer data, and order history
write_orders	Create, modify, and cancel orders programmatically
read_customers	Retrieve customer profiles, contact information, and purchase history

Step-by-Step Guide

Step 1: Create a Shopify Partner Account

If you don't already have one, visit partners.shopify.com and sign up for a free Shopify Partner account. This account gives you access to the Partner dashboard where you can create and manage apps, access test stores, and view API credentials.

Step 2: Create a Development App

Log into your Partner dashboard and navigate to the "Apps and integrations" section. Click "Create an app" and select "Create an app manually." Choose a name for your app (e.g., "My Custom Integration") and click "Create app."

Step 3: Configure Your App Settings

In your app's settings page, you'll see two critical pieces of information:

• API Key: Your app's public identifier
• API Secret: Your app's private credential (keep this secret and never share it)

Scroll down to "Admin API access scopes" and select the scopes your app requires. For example, if your app needs to read products and orders, check both read_products and read_orders.

Step 4: Set Your Redirect URI

Under "App setup," locate the "Allowed redirect URI(s)" section. Add your redirect URI—this is where Shopify will send users after they authorize your app. For local development, this might be https://localhost:3000/auth/callback. For production, use your actual domain: https://yourdomain.com/auth/callback.

Important: All redirect URIs must use HTTPS. Shopify will reject non-secure URLs for security reasons.

Step 5: Initiate the OAuth Flow

Direct your users to Shopify's authorization endpoint. Construct a URL with your API key, scopes, and redirect URI:

https://{shop}.myshopify.com/admin/oauth/authorize?client_id={api_key}&scope={scopes}&redirect_uri={redirect_uri}&state={nonce}

Replace the placeholders with your actual values. The state parameter is a security nonce—generate a random string to prevent CSRF attacks.

Step 6: Handle the Authorization Callback

When the user authorizes your app, Shopify redirects them back to your redirect URI with an authorization code. Your server should capture this code:

GET /auth/callback?code=authorization_code&hmac=hmac_value&shop=mystore.myshopify.com&state=your_nonce×tamp=timestamp

Verify the HMAC: Before proceeding, always verify that the HMAC signature matches to ensure the request came from Shopify.

Step 7: Exchange the Authorization Code for an Access Token

Send a POST request to Shopify's token endpoint with your authorization code, API key, and API secret. Here's a cURL example:

curl -X POST https://mystore.myshopify.com/admin/oauth/access_token \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "your_api_key_here",
    "client_secret": "your_api_secret_here",
    "code": "authorization_code_from_callback"
  }'

Shopify will respond with a JSON object containing your access token:

{
  "access_token": "shpat_abcdef1234567890",
  "scope": "write_products,read_orders",
  "expires_in": 86400
}

Step 8: Store Your Access Token Securely

Save the access token in a secure database or environment variable. Never commit tokens to version control or expose them in client-side code. Use HTTPS encryption for all API calls that include your token.

Step 9: Make API Requests with Your Token

Include your access token in the Authorization header when making API requests:

curl -X GET https://mystore.myshopify.com/admin/api/2024-01/products.json \
  -H "X-Shopify-Access-Token: shpat_abcdef1234567890"

Using GetShopifyToken (Faster Method)

While the manual process works well, if you want to streamline your workflow and reduce setup complexity, https://getshopifytoken.com provides an automated solution that handles many of these steps for you. This service can significantly speed up the token generation process, especially if you're managing multiple apps or stores.

GetShopifyToken simplifies the authentication flow by abstracting away much of the complexity, allowing you to focus on building your integration rather than managing OAuth mechanics. For developers working on multiple Shopify projects, this can be a significant time-saver.

Common Issues

• Invalid Redirect URI Error: Ensure your redirect URI exactly matches what you configured in your Partner dashboard. Check for trailing slashes, protocol (http vs https), and domain spelling.
• HMAC Verification Failed: Double-check that you're using the correct API secret and that you're computing the HMAC correctly. Shopify uses SHA256 HMAC-hex encoding.
• Token Expiration: Access tokens expire after 24 hours by default. Implement token refresh logic or re-authenticate when needed.
• Insufficient Scopes: If you get a "scope not granted" error, return to your Partner dashboard and add the required scopes to your app configuration.
• Shop Not Found Error: Ensure the shop domain is formatted correctly (e.g., "mystore.myshopify.com" not just "mystore").
• SSL/TLS Certificate Issues: Your redirect URI must use valid HTTPS. Test your certificate or update your server configuration.
• Rate Limiting: Shopify enforces API rate limits. If you receive 429 errors, implement exponential backoff in your retry logic.

Related Guides

• Getting Started with Shopify GraphQL Admin API
• Managing Multiple Shopify Store Tokens Securely
• Best Practices for Storing and Rotating API Credentials

Frequently Asked Questions

Q: What's the difference between a Shopify access token and an API key?

An API key is the public identifier for your app and is visible in your Partner dashboard. An access token is a short-lived credential that grants permission to access a specific store's data. The API key identifies your app; the access token authenticates it for a particular store. You need both—the API key to initiate the OAuth flow and the access token to make API requests on behalf of a store.

Q: Can I use the same access token for multiple Shopify stores?

No. Each access token is specific to one store. If your app needs to work with multiple stores, you must complete the OAuth flow separately for each store and maintain separate tokens. This is a security feature that prevents a compromised token from affecting multiple stores.

Q: How long does an access token remain valid?

By default, Shopify access tokens expire after 24 hours. You'll need to implement a token refresh mechanism or guide users through re-authentication. Some custom solutions might offer longer-lived tokens, but the standard Shopify OAuth flow uses 24-hour expiration for security reasons.

Q: Is it safe to include my access token in API requests?

Yes, as long as you use HTTPS for all requests. HTTPS encrypts the token in transit, preventing interception. Never make API calls over plain HTTP, as this would expose your token to packet sniffing attacks. Always store tokens server-side and never include them in client-side JavaScript.

Q: What should I do if I accidentally expose my access token?

Immediately revoke the token by deleting the app authorization in your Shopify account's "Apps and channels" section. This invalidates the token and prevents anyone from using it. Then regenerate a new token by completing the OAuth flow again with fresh credentials.