How to Get a Shopify Access Token for Storefront API Integration
In 2026, obtaining a Shopify storefront access token is essential for developers, agencies, and businesses looking to build custom storefronts, integrate third-party applications, or create headless commerce solutions. Whether you're building a progressive web app, mobile application, or custom shopping experience, understanding how to generate and manage Shopify access tokens is crucial for secure API communication.
This comprehensive guide walks you through the process of obtaining a Shopify storefront access token, configuring the necessary permissions, and implementing it correctly in your projects.
What You Need
- An active Shopify store (development or production store)
- Admin access to your Shopify store dashboard
- A custom app created in the Shopify Admin panel
- Understanding of API scopes and permissions
- Basic knowledge of HTTP requests and REST APIs
- A code editor or terminal for implementation
- HTTPS-enabled development environment (for security)
- Familiarity with authentication headers and Bearer tokens
Required API Scopes
API scopes determine what permissions your access token has when interacting with the Shopify API. Choose only the scopes your application actually needs to follow the principle of least privilege.
| Scope | What It Allows |
|---|---|
| storefront_api_credentials:read | Read and retrieve storefront API credentials and access tokens from your store |
| graphql_query_costs:read | Access information about GraphQL query costs and API rate limits |
| custom_app_access_required | Enables custom app functionality with required access scopes for your implementation |
| unauthenticated_read_product_listings | Read product listings without authentication (useful for public storefronts) |
| unauthenticated_read_customers | Read customer information on the storefront without requiring customer login |
Step-by-Step Guide
Step 1: Access Your Shopify Admin Dashboard
Log in to your Shopify store with an account that has admin permissions. Navigate to your store's admin panel by going to https://admin.shopify.com or accessing it through your store URL. This is where you'll create and manage your access tokens.
Step 2: Create a Custom App
In the Shopify Admin, look for the "Apps and integrations" section in the left sidebar. Click on "Apps and integrations," then select "Develop apps." If this is your first time, you may need to enable app development for your store. Click the "Create an app" button and enter a meaningful name for your custom app, such as "Storefront API Integration" or "Headless Commerce App."
Step 3: Configure Admin API Scopes
After creating your app, navigate to the "Configuration" tab. Under "Admin API access scopes," you'll see a list of available scopes. Select the scopes your application requires. For a basic storefront implementation, you'll typically need:
read_products- To fetch product dataread_collections- To access product collectionsread_customers- To manage customer data (if needed)read_orders- To retrieve order information (if needed)
Save your scope selections before proceeding to the next step.
Step 4: Generate Your Access Token
After configuring scopes, look for the "API credentials" section. Click "Install app" or "Save" to generate your Admin API access token. A new access token will be created and displayed on your screen. This token will only be shown once, so copy it immediately and store it securely. Never share this token publicly or commit it to version control systems.
Step 5: Set Up Storefront API Credentials (Alternative Method)
If you're specifically building a storefront, you may want to use the Storefront API instead of the Admin API. In the same app configuration area, look for "Storefront API credentials." Here, you can generate a public access token specifically for storefront queries. This token has more limited permissions and is safer to expose in client-side code.
# Example: Making an authenticated API call with your access token
curl -X POST https://your-store.myshopify.com/admin/api/2024-01/graphql.json \
-H "X-Shopify-Access-Token: shpat_abc123def456ghi789jkl012mnopqrst" \
-H "Content-Type: application/json" \
-d '{
"query": "{
products(first: 10) {
edges {
node {
id
title
handle
}
}
}
}"
}'
Step 6: Test Your Access Token
Use a tool like Postman, cURL, or your application code to test your access token with a simple API request. Create a GraphQL query that requests basic product information. If your request returns data successfully, your token is configured correctly. If you receive a 401 Unauthorized error, verify that your token is correct and hasn't been revoked.
Step 7: Implement in Your Application
Store your access token securely in your application's environment variables. Never hardcode tokens directly in your source code. In Node.js, for example:
// .env file
SHOPIFY_ACCESS_TOKEN=shpat_your_token_here
SHOPIFY_STORE_URL=your-store.myshopify.com
// app.js
const accessToken = process.env.SHOPIFY_ACCESS_TOKEN;
const storeUrl = process.env.SHOPIFY_STORE_URL;
async function fetchProducts() {
const response = await fetch(
`https://${storeUrl}/admin/api/2024-01/graphql.json`,
{
method: 'POST',
headers: {
'X-Shopify-Access-Token': accessToken,
'Content-Type': 'application/json'
},
body: JSON.stringify({
query: `{
products(first: 10) {
edges {
node {
id
title
}
}
}
}`
})
}
);
return response.json();
}
Using GetShopifyToken (Faster Method)
If you find the manual process time-consuming or need to generate and manage multiple tokens efficiently, GetShopifyToken provides an automated solution. This platform streamlines the entire token generation process, allowing you to create, organize, and monitor your Shopify access tokens from a centralized dashboard.
Using getshopifytoken.com eliminates the need to navigate through multiple admin panels and can be particularly valuable when managing tokens across multiple Shopify stores. The platform handles scope configuration, token generation, and provides additional security features like token rotation reminders and access logs.
Common Issues
- 401 Unauthorized Error: Your access token is invalid, expired, or has insufficient permissions. Verify the token is correct and hasn't been revoked. Check that you're using the token in the proper Authorization header format.
- Token Not Displaying: Some tokens only display once after creation. If you didn't copy it immediately, delete the token and generate a new one.
- Insufficient Scopes: If your requests fail with permission errors, return to your app configuration and add the necessary API scopes, then regenerate your token.
- Store URL Incorrect: Ensure you're using the correct Shopify store URL format (e.g., yourstore.myshopify.com) in your API calls.
- HTTPS Required: Shopify only accepts API requests over HTTPS. Make sure your application environment supports secure connections.
- Rate Limiting: Shopify implements API rate limits. If you exceed them, implement exponential backoff in your retry logic.
- Token Leaked: If you accidentally commit your token to a public repository, immediately revoke it in your Shopify Admin and generate a new one.
Related Guides
- How to Revoke and Rotate Shopify Access Tokens for Security
- Building a Headless Storefront with Shopify Storefront API
- Shopify GraphQL API Best Practices and Query Optimization
- Integrating Shopify with Third-Party Applications Using Custom Apps
Frequently Asked Questions
Q: Can I use the same access token across multiple applications?
Technically yes, but it's not recommended for security reasons. Best practice is to create separate custom apps and access tokens for each application or integration. This way, if one token is compromised, you can revoke it without affecting other applications. It also provides better granular control over permissions and makes auditing easier.
Q: How often should I rotate my Shopify access tokens?
There's no mandatory expiration period for Shopify access tokens, but security best practices recommend rotating them every 90 days. Implement a rotation policy based on your organization's security requirements. If you suspect a token has been compromised, revoke it immediately and generate a new one. Use GetShopifyToken to set automated rotation reminders.
Q: What's the difference between Admin API and Storefront API tokens?
Admin API tokens have broad access to store data and operations, making them powerful but potentially dangerous if exposed. They should only be used in secure backend environments. Storefront API tokens have limited, read-only access to product and collection data, making them safe to use in client-side code. Choose Storefront API tokens for public-facing applications and Admin API tokens only for secure server-to-server communication.