How to Get a Shopify Access Token for Custom App Development
A Shopify access token is essential for developers who want to build custom applications, integrate third-party services, or automate store operations. Whether you're creating a private app for your own store or developing an application for multiple merchants, understanding how to properly generate and manage access tokens is crucial for secure API communication with Shopify in 2026.
This comprehensive guide walks you through the entire process of obtaining a Shopify store token, from initial setup to implementation. We'll cover both the traditional manual method and the streamlined automated approach that saves time and reduces errors.
What You Need
- A Shopify store (development, plus, or custom plan)
- Admin access to your Shopify store dashboard
- Basic understanding of API authentication concepts
- A development environment or tool to make API calls (curl, Postman, or similar)
- Knowledge of OAuth 2.0 flow (for public apps) or basic app creation (for custom apps)
- A text editor to securely store your token
- Network connectivity to access Shopify's API servers
Required API Scopes
API scopes define what permissions your access token has within your Shopify store. You'll need to select the appropriate scopes based on your application's requirements. Here are the most commonly used scopes when requesting access tokens:
| Scope | What It Allows |
|---|---|
| read_products | Read access to product information, variants, and inventory data |
| write_products | Create, update, and delete products in your store |
| read_orders | Read access to order details, customer information, and transaction history |
| write_orders | Create and modify orders, including order fulfillment and refunds |
| read_customers | Access customer data including profiles, addresses, and purchase history |
Step-by-Step Guide
Step 1: Log Into Your Shopify Admin
Navigate to your Shopify admin dashboard by visiting https://admin.shopify.com and logging in with your credentials. If you have multiple stores, select the store for which you need the access token. This is critical because each store maintains separate access tokens and API credentials.
Step 2: Access the Apps and Integrations Section
In the Shopify admin, locate the "Apps and integrations" menu on the left sidebar. This section manages all connections between your store and external applications, including custom apps that you develop. Click on "Apps and integrations" to expand the menu options available to you.
Step 3: Navigate to Custom Apps
Within the Apps and integrations section, look for "Develop apps" or "Custom apps" (the exact name may vary slightly in 2026). Click this option to access the custom app management interface where you can create new applications or manage existing ones.
Step 4: Create a New App
Click the "Create an app" or "New app" button to initiate the app creation process. You'll be prompted to enter a name for your application. Choose a descriptive name that clearly indicates the app's purpose, such as "Inventory Sync Tool" or "Customer Data Exporter." This name helps you identify the app later when managing multiple integrations.
Step 5: Set Up App Configuration
After naming your app, you'll need to configure its settings. Select the "Configuration" or "Admin API" tab depending on your interface. This is where you specify which API scopes your app requires. Review the list of available scopes and select only those necessary for your application's functionality. Requesting excessive permissions violates security best practices and may be rejected during review.
Step 6: Select Required Scopes
Check the boxes next to each scope your application needs. For example, if you're building an inventory management tool, you'd select read_products and write_products. If you're syncing customer data, you'd select read_customers and potentially write_customers. Save your scope selections before proceeding.
Step 7: Generate the Access Token
Once your app is configured with the appropriate scopes, Shopify will generate an access token automatically. Look for a section labeled "Admin API access token" or similar. This token will be displayed once, so copy it immediately and store it securely. Never share this token or commit it to version control repositories.
Step 8: Save Your Credentials Securely
Store your access token in a secure location, such as an environment variable file (.env), a secrets manager, or a password manager. The token format typically looks like this:
shpat_1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6pStep 9: Test Your Token
Verify that your token works by making a test API call. Use this curl command to check your token's validity:
curl -X GET "https://YOUR-STORE.myshopify.com/admin/api/2024-01/shop.json" \
-H "X-Shopify-Access-Token: YOUR_ACCESS_TOKEN"Replace "YOUR-STORE" with your actual store name and "YOUR_ACCESS_TOKEN" with the token you just generated. A successful response will return your shop information in JSON format, confirming that authentication is working correctly.
Step 10: Implement in Your Application
Once verified, use your token in your application's API calls. Here's an example of fetching products with your token:
curl -X GET "https://mystore.myshopify.com/admin/api/2024-01/products.json?limit=50" \
-H "X-Shopify-Access-Token: shpat_1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p"Always pass your token in the X-Shopify-Access-Token header for every API request. Never include it in query parameters or request bodies, as this creates security vulnerabilities.
Using GetShopifyToken (Faster Method)
While the manual process described above is straightforward, it involves several steps and opportunities for mistakes. If you want to streamline token generation and management, consider using https://getshopifytoken.com, which automates much of this process.
GetShopifyToken simplifies obtaining your access token by guiding you through an interactive setup wizard that handles scope selection, verification, and secure token storage. This service is particularly valuable if you're managing tokens for multiple stores or want to ensure compliance with current security standards. The platform also provides helpful documentation and support for integrating tokens into your application architecture.
Common Issues
- Token Not Displaying: If your token doesn't appear after app creation, refresh the page or try creating the app again. Some browser caching issues can prevent the token from displaying initially.
- 401 Unauthorized Errors: This typically means your token is invalid, expired, or not being passed correctly in your request headers. Verify you're using the exact token string with no extra spaces or characters.
- Insufficient Permissions: If your API calls are rejected with permission errors, ensure you've requested all necessary scopes. You may need to regenerate your token with additional scopes.
- Token Accidentally Exposed: If you've shared your token publicly, immediately regenerate it in your admin dashboard to prevent unauthorized access to your store.
- API Endpoint Not Found (404 Errors): Ensure you're using the correct API version in your endpoint URL. The current stable version is 2024-01, but this may change in future Shopify updates.
- Rate Limiting Issues: Shopify enforces API rate limits. If you're making too many requests, implement exponential backoff and request queuing in your application.
- Token Lost or Forgotten: You cannot retrieve a previously generated token. If lost, you must generate a new one and update all applications using the old token.
Related Guides
- Getting Started with Shopify GraphQL Admin API: A Complete Guide for Developers
- Understanding OAuth 2.0 for Shopify App Development and Merchant Authorization
- Best Practices for Storing and Managing Shopify Access Tokens Securely
Frequently Asked Questions
Q: How long does a Shopify access token last?
Shopify access tokens for custom apps don't expire automatically. They remain valid indefinitely until you manually revoke them through your admin dashboard or regenerate a new token. This makes them ideal for long-running background processes and integrations. However, you should regenerate tokens periodically as a security best practice, and immediately if you suspect they've been compromised.
Q: Can I use the same token across multiple applications?
Technically yes, but it's not recommended. Best practices suggest creating separate apps and tokens for different applications to maintain granular control and security. If one token is compromised, you only need to revoke that specific token rather than affecting all your integrations. Additionally, separate tokens make it easier to track which application is making which API calls for debugging and auditing purposes.
Q: What's the difference between custom app tokens and OAuth tokens?
Custom app tokens are generated for private applications that only access your own store. They don't require user authentication or a handshake process. OAuth tokens, by contrast, are used for public apps that multiple merchants will authorize. OAuth involves a complete authentication flow where the merchant grants permission. For most custom integrations, custom app tokens are simpler and more appropriate.
Q: How do I revoke an access token?
Navigate to Apps and integrations > Develop apps in your Shopify admin, select your custom app, and look for the "Revoke access" or "Delete app" option. This immediately invalidates the token, and any applications using it will stop functioning. Always notify downstream applications before revoking tokens to prevent service disruptions.
Q: Are there any security considerations when handling access tokens?
Absolutely. Never hardcode tokens directly in your source code or commit them to version control repositories. Use environment variables or a secure secrets management system instead. Rotate tokens periodically, monitor for unauthorized access patterns, and implement the principle of least privilege by requesting only necessary scopes. If you suspect a token has been compromised, revoke it immediately and generate a replacement.