How to Get a Shopify Access Token for Custom App Development
If you're building a custom application that integrates with your Shopify store, obtaining a Shopify access token is one of the most critical steps in the process. An access token acts as a secure credential that allows your application to authenticate API requests and interact with your store's data programmatically.
In 2026, Shopify's ecosystem continues to evolve with enhanced security requirements and streamlined processes for developers. This comprehensive guide walks you through everything you need to know about getting a Shopify store access token, from understanding prerequisites to implementing your first authenticated API call.
What You Need
- A Shopify store (any plan, including development stores)
- Admin access to your Shopify store
- A clear understanding of what data your app needs to access
- Your store's domain (e.g., mystore.myshopify.com)
- A secure location to store the access token (environment variables, secure vault, etc.)
- Basic familiarity with API concepts and authentication flows
- Your app's Client ID and Client Secret (if using OAuth)
- A development environment or server to host your custom app
Required API Scopes
Before generating your access token, you must define the specific permissions (scopes) your application requires. Shopify uses scopes to control what data and actions your app can access. Always follow the principle of least privilege—request only the scopes you actually need.
| Scope | What It Allows |
|---|---|
| read_products | Read product information, including titles, descriptions, prices, and variants |
| write_products | Create, update, and delete products in your store |
| read_orders | Access order details, including customer information and line items |
| write_orders | Create, update, and manage orders programmatically |
| read_customers | Read customer data including contact information and purchase history |
Step-by-Step Guide
Follow these steps to generate your Shopify access token. The process differs slightly depending on whether you're creating a custom app or using OAuth flow for a public app.
Method 1: Creating a Custom App Token (Recommended for Single Store)
Step 1: Access the Shopify Admin Dashboard
Log in to your Shopify store's admin panel using your credentials. Navigate to the Settings section, typically found in the bottom left of the sidebar. This is where you'll manage your store's configuration and integrations.
Step 2: Navigate to Apps and Integrations
From the Settings menu, look for "Apps and integrations" or "Developer tools." In 2026, Shopify has consolidated this section for easier access. Click on it to expand the submenu.
Step 3: Select "Develop apps"
Within the Apps and integrations section, you'll find an option to "Develop apps" or "Create an app." Click this button to start creating your custom application. If you haven't enabled development mode, Shopify may prompt you to do so first.
Step 4: Create a New App
Click the "Create an app" button. A dialog will appear asking for your app's name. Enter a descriptive name that reflects what your application does—for example, "Inventory Sync Tool" or "Custom Order Dashboard." Confirm the creation.
Step 5: Configure API Credentials
Once your app is created, navigate to the "Configuration" or "API Credentials" tab. This is where you'll set up the permissions your app needs. Click on "Configuration" and look for the "Admin API access scopes" section.
Step 6: Select Required Scopes
Review the available scopes and select only those your application requires. For example, if you're building an inventory management tool, you'd select read_products and write_products. After selecting your scopes, save the configuration.
Step 7: Generate Access Token
Navigate to the "API credentials" tab. You'll see a section labeled "Admin API access token." Click the "Reveal token" button or "Generate access token" button if one hasn't been created yet. Shopify will display your access token—this is a long, encrypted string.
Step 8: Securely Store Your Token
Copy your access token immediately and store it in a secure location. Never commit it to version control or expose it in client-side code. Use environment variables or a secrets management system:
# In your .env file (DO NOT commit to version control)
SHOPIFY_ACCESS_TOKEN=shpat_1234567890abcdefghijklmnopqrstuvwxyz
# In your Node.js application
const accessToken = process.env.SHOPIFY_ACCESS_TOKEN;
const storeUrl = process.env.SHOPIFY_STORE_URL;
Method 2: OAuth Flow (For Public Apps)
Step 1: Create a Public App
If you're building an app for multiple stores, create a public app instead. Follow steps 1-4 above, but ensure your app type is set to "Public app."
Step 2: Retrieve Client ID and Client Secret
In the API credentials section, you'll see your Client ID and Client Secret. These credentials are used to initiate the OAuth flow. Store both securely on your server.
Step 3: Implement OAuth Authorization URL
Generate an authorization URL that redirects merchants to Shopify's permission screen:
const clientId = process.env.SHOPIFY_CLIENT_ID;
const redirectUri = process.env.SHOPIFY_REDIRECT_URI;
const scopes = ['read_products', 'write_products', 'read_orders'].join(',');
const storeUrl = 'example-store.myshopify.com';
const authUrl = `https://${storeUrl}/admin/oauth/authorize?client_id=${clientId}&scope=${scopes}&redirect_uri=${redirectUri}`;
// Redirect user to this URL
console.log(authUrl);
Step 4: Exchange Authorization Code for Access Token
After the merchant approves permissions, they're redirected to your redirect URI with an authorization code. Exchange this code for an access token:
const axios = require('axios');
async function getAccessToken(authCode, storeUrl) {
const response = await axios.post(
`https://${storeUrl}/admin/oauth/access_token`,
{
client_id: process.env.SHOPIFY_CLIENT_ID,
client_secret: process.env.SHOPIFY_CLIENT_SECRET,
code: authCode
}
);
const accessToken = response.data.access_token;
console.log('Access Token:', accessToken);
return accessToken;
}
Step 5: Use the Access Token
Now you can use the access token to make authenticated API requests to the Shopify GraphQL or REST API.
Method 3: Making Your First API Call
Once you have your access token, test it with a simple API request:
curl -X GET "https://your-store.myshopify.com/admin/api/2024-01/products.json" \
-H "X-Shopify-Access-Token: shpat_1234567890abcdefghijklmnopqrstuvwxyz"
If successful, this request returns a JSON response with your store's products. If you receive a 401 Unauthorized error, verify that your token is correct and has the appropriate scopes.
Using GetShopifyToken (Faster Method)
While the manual process described above gives you complete control, GetShopifyToken streamlines the entire process. This service automates token generation and management, eliminating manual steps and reducing the chance of configuration errors.
GetShopifyToken is particularly useful if you're managing multiple Shopify stores or need to frequently regenerate tokens for security purposes. The platform securely handles your credentials and provides a simple dashboard to view and manage all your access tokens in one place.
Common Issues
- 401 Unauthorized Error: Your access token is invalid, expired, or doesn't have the required scopes. Verify the token is correct and that your scopes match your API request.
- Insufficient Scopes: You're attempting to access data your token doesn't have permission for. Add the necessary scopes to your app configuration and regenerate the token.
- Token Not Appearing: Ensure you've selected at least one API scope before attempting to generate a token. Shopify requires explicit scope selection.
- 403 Forbidden: Your store account doesn't have permission to perform this action. Verify you have admin access to the store.
- Rate Limiting: You've exceeded Shopify's API rate limits. Implement exponential backoff and request throttling in your application.
- Store Access Revoked: If an admin removes your custom app, the access token becomes invalid immediately. Create a new app and generate a new token.
- Token Exposure: If your token is accidentally committed to a public repository, regenerate it immediately. Shopify cannot retroactively revoke exposed tokens.
Related Guides
- How to Use Shopify GraphQL Admin API with Your Access Token
- Shopify REST API Authentication and Best Practices
- Managing Multiple Shopify Store Tokens Securely
Frequently Asked Questions
Q: Does my access token expire?
No, custom app access tokens generated through the Shopify admin don't expire. However, they become invalid if the app is deleted, uninstalled, or if an admin explicitly revokes access. For OAuth tokens, expiration depends on your implementation, but Shopify's standard tokens don't have a built-in expiration unless your custom app logic implements it.
Q: Can I use the same access token across multiple stores?
No. Each access token is specific to a single Shopify store. If you need to access multiple stores, you must generate a separate token for each store. For public apps distributed to multiple merchants, use the OAuth flow to obtain unique tokens for each merchant's store.
Q: What's the difference between custom apps and public apps?
Custom apps are designed for a single store and use access tokens you generate directly in the admin. Public apps are installed by multiple merchants and use OAuth to obtain access tokens dynamically. Use custom apps for internal tools and integrations specific to your store; use public apps if you're building a product for the Shopify App Store.
Q: Is it safe to store my access token in environment variables?
Yes, environment variables are a secure way to store access tokens, provided you follow best practices: never commit .env files to version control, use a secrets management tool in production (like AWS Secrets Manager or HashiCorp Vault), and restrict access to your server. Avoid storing tokens in client-side code or databases without encryption.
Q: What should I do if my access token is compromised?
Immediately delete your custom app from the Shopify admin to revoke the token. Then create a new app and generate a new access token. For OAuth tokens, implement a token revocation mechanism. Monitor your store's audit log for any suspicious API activity.