How to Get a Shopify Access Token for Storefront API Integration
Getting a Shopify access token is essential for developers who want to build custom applications, integrate third-party services, or create headless commerce solutions. Whether you're building a mobile app, integrating with your inventory management system, or creating a custom storefront, understanding how to obtain and manage Shopify access tokens is crucial. This comprehensive guide will walk you through the process of getting a Shopify storefront token in 2026, covering everything from prerequisites to troubleshooting common issues.
A Shopify access token acts as a security credential that allows your application to interact with a Shopify store's data and functionality. There are two main types of tokens: private app tokens (for admin API) and storefront tokens (for Storefront API). This guide focuses specifically on obtaining storefront access tokens, which enable you to build customer-facing experiences without exposing sensitive admin data.
What You Need
- A Shopify store (any plan level: Basic, Standard, Premium, or Advanced)
- Admin access to your Shopify store
- Access to Shopify App Settings or the Partner Dashboard
- A development environment or code editor (VS Code, WebStorm, etc.)
- Basic understanding of REST APIs and authentication
- Node.js or a similar runtime if testing API calls locally
- cURL or Postman for testing API endpoints
- An understanding of your desired use case and required API scopes
Required API Scopes
API scopes define what permissions your access token has. Different use cases require different scopes. Here are the most common scopes needed for Storefront API integration:
| Scope | What It Allows |
|---|---|
| unauthenticated_read_product_listings | Read public product information without authentication. Essential for displaying products on custom storefronts. |
| unauthenticated_write_checkouts | Create and modify checkouts without customer authentication. Needed for custom cart and checkout flows. |
| unauthenticated_read_checkouts | Retrieve checkout information without authentication. Allows you to fetch cart details and checkout status. |
| unauthenticated_read_customer_tags | Read customer tags without authentication. Useful for personalization and customer segmentation features. |
| unauthenticated_read_collection_publications | Access collection information for your storefront. Enables filtering and organizing products by collections. |
Step-by-Step Guide
Follow these detailed steps to obtain your Shopify storefront access token:
Step 1: Log In to Your Shopify Admin Dashboard
First, navigate to your Shopify store's admin dashboard at https://admin.shopify.com. Enter your email and password, and authenticate using two-factor authentication if enabled. Once logged in, you'll see your store's main dashboard with various menu options on the left sidebar.
Step 2: Navigate to Apps and Integrations
In the Shopify admin dashboard, look for the "Apps and integrations" section in the left sidebar menu. Click on it to expand the options. You should see several sub-menu items including "App and sales channel settings" and "Develop apps".
Step 3: Enable Development Apps (If Required)
If you haven't already set up development apps, you'll need to enable this feature. Look for "Develop apps" or "Apps" in the Apps and integrations section. If you see a message that development apps are disabled, click "Allow custom app development" or "Enable development app" button. You may be asked to accept terms and conditions regarding Shopify's developer policies.
Step 4: Create a New App
Click on "Create an app" or "Create app" button. A dialog box will appear asking for your app name. Enter a descriptive name that reflects your use case, such as "Storefront Integration," "Mobile App Token," or "Custom Checkout Integration." This name is only visible to you and helps organize multiple apps.
Step 5: Select Your App Type and Purpose
Shopify will ask you to specify what type of app you're creating. Select "Storefront API" if you're building a custom storefront or headless commerce experience. Specify your use case in the provided description field, such as "Building a custom Next.js storefront" or "Mobile app integration."
Step 6: Configure API Scopes
After creating your app, navigate to the "Configuration" tab. Here you'll see the "Admin API access scopes" and "Storefront API access scopes" sections. For storefront integration, focus on the Storefront API scopes. Select only the scopes your application actually needs. For a basic product listing and checkout integration, you'll typically need:
unauthenticated_read_product_listingsunauthenticated_write_checkoutsunauthenticated_read_checkouts
Only request the minimum scopes necessary for security best practices.
Step 7: Generate Your Access Token
Once you've selected your scopes, click "Save" to apply the changes. Your app will now be created. Navigate to the "API credentials" tab to find your access token. You'll see:
- Storefront API access token: This is your public token for Storefront API calls
- API key: Your application's unique identifier
- API secret: Keep this secure and never expose it publicly
Click "Reveal token" to display your full access token. Copy this token immediately and store it securely.
Step 8: Test Your Token with an API Call
Before integrating your token into your application, test it with a simple API call. Use cURL to verify your token works correctly. Here's an example that retrieves basic product information:
curl -X POST https://your-store.myshopify.com/api/2024-01/graphql.json \
-H "Content-Type: application/json" \
-H "X-Shopify-Storefront-Access-Token: YOUR_ACCESS_TOKEN_HERE" \
-d '{
"query": "{ products(first: 5) { edges { node { id title handle } } } }"
}'Replace your-store with your actual store name and YOUR_ACCESS_TOKEN_HERE with your generated token. If the request returns product data without errors, your token is working correctly.
Step 9: Securely Store Your Token
Never hardcode your access token directly into your application code or commit it to version control. Instead, use environment variables. Create a .env file in your project:
SHOPIFY_STOREFRONT_TOKEN=your_actual_token_here
SHOPIFY_STORE_NAME=your-store.myshopify.com
SHOPIFY_API_VERSION=2024-01Add .env to your .gitignore file to prevent accidental exposure. Load these variables in your application code using a package like dotenv for Node.js projects.
Step 10: Implement Token Rotation and Management
For production applications, implement a token rotation strategy. Shopify recommends regenerating tokens periodically (monthly or quarterly). Set a calendar reminder to review and rotate your tokens. If you suspect a token has been compromised, immediately generate a new one and revoke the old one through the Shopify admin.
Using GetShopifyToken (Faster Method)
While the manual process works well, it involves multiple steps and configuration decisions that can be time-consuming. If you want to streamline the process significantly, consider using GetShopifyToken (available at https://getshopifytoken.com). This service automates much of the token creation and retrieval process, allowing you to generate valid Shopify storefront tokens in minutes rather than hours.
GetShopifyToken handles scope selection, API configuration, and token generation automatically based on your stated use case. This is particularly valuable if you manage multiple Shopify stores or create tokens frequently for client projects. The platform also provides best practices guidance and security recommendations specific to your implementation.
Common Issues
- Authentication Errors (401 Unauthorized): Verify your token is correct, hasn't expired, and matches the API version you're using. Check that you're sending the token in the correct header (
X-Shopify-Storefront-Access-Token). - Insufficient Permissions (403 Forbidden): Ensure your token has the required scopes for the operation you're attempting. Review which scopes your app has configured and add additional ones if needed.
- Token Not Appearing in Admin: If you created an app but don't see the token, ensure you've saved the API configuration and that your app hasn't been deleted. Check that you're looking in the correct app's credentials tab.
- GraphQL Query Errors: Verify your GraphQL query syntax using Shopify's GraphQL Explorer. Common issues include requesting fields that don't exist or using incorrect argument names.
- Rate Limiting (429 Too Many Requests): Your token has API rate limits. Implement exponential backoff retry logic in your application to handle rate-limited responses gracefully.
- Token Accidentally Exposed: If you believe your token has been exposed, immediately revoke it in the Shopify admin and generate a new one. Review API activity logs for suspicious requests.
- CORS Errors in Browser: Storefront API calls from browsers may fail due to CORS restrictions. Use a backend service to proxy API requests or configure CORS headers appropriately.
Related Guides
- How to Implement Shopify Storefront API Authentication in React
- Building a Custom Headless Shopify Storefront with Next.js
- Managing Multiple Shopify Store Tokens Securely in Production
Frequently Asked Questions
Q: What's the difference between a Storefront API token and an Admin API token?
A Storefront API token is designed for customer-facing applications and has limited permissions focused on reading product data and managing checkouts. An Admin API token grants much broader access to store management functions and is intended for internal tools and custom admin applications. Storefront tokens are safe to expose to clients; Admin tokens must always remain private.
Q: How long do Shopify access tokens last?
Shopify access tokens don't expire automatically. However, they remain valid only as long as your app exists. If you delete an app, its token becomes invalid. For security, manually rotate tokens periodically even if they don't expire. Implement a quarterly rotation schedule for production applications.
Q: Can I use the same token across multiple storefronts or applications?
Each token is specific to the Shopify store and app where it was created. You cannot reuse a token from one store in another store. If you manage multiple Shopify stores, you'll need to create separate apps and tokens for each store. However, you can use the same token across multiple instances of the same application, provided they're accessing the same Shopify store.