How to Get a Shopify Access Token for Store Automation & API Integration
Getting a Shopify access token is essential for developers and store owners who want to automate workflows, integrate third-party applications, or build custom solutions. In 2026, Shopify's token generation process has become more streamlined, but understanding the nuances remains critical for security and functionality.
This comprehensive guide walks you through every step of obtaining a Shopify store token, from initial setup to implementation, ensuring you have the knowledge to integrate with Shopify's powerful API ecosystem.
What You Need
- A Shopify store (development or live store)
- Admin access to your Shopify store
- Access to the Shopify App settings in your admin dashboard
- Basic understanding of API authentication concepts
- A text editor or IDE for storing and managing tokens securely
- Knowledge of your specific use case (custom app, third-party integration, or automation)
- A secure method to store sensitive credentials (password manager or environment variables)
Understanding Shopify Access Tokens
A Shopify access token is a unique identifier that grants programmatic access to your store's data and functionality. It acts as a digital key that authenticates API requests on your behalf. Unlike traditional passwords, access tokens are specific to applications and can be revoked without affecting other store operations.
In 2026, Shopify offers two primary token types: private app tokens (for custom integrations) and OAuth tokens (for public apps). This guide focuses on both approaches, helping you choose the right method for your needs.
Required API Scopes
API scopes determine what data and actions your token can access. It's critical to request only the minimum scopes necessary for your application—this follows the principle of least privilege and enhances security.
| Scope | What It Allows |
|---|---|
| read_products | Read product data, variants, and inventory information from your store |
| write_products | Create, update, and delete products and their variants |
| read_orders | Access order information, customer details, and transaction history |
| write_orders | Create and modify orders, including order notes and fulfillment details |
| read_customers | Retrieve customer information, addresses, and account details |
Step-by-Step Guide
Step 1: Log Into Your Shopify Admin Dashboard
Begin by navigating to your Shopify store's admin dashboard. Log in with your credentials. You must have admin or developer access to create tokens. Once logged in, you'll see the main dashboard with various menu options on the left sidebar.
Step 2: Navigate to Apps and Integrations
Click on Apps and sales channels in the left sidebar. This section houses all integrations and custom applications connected to your store. Next, select App and integration settings to access the area where you'll manage API credentials.
Step 3: Access Developer Settings
Within App and integration settings, look for Develop apps or Development section. Click on this option to enter the development environment. If you don't see this option immediately, you may need to enable developer mode first by clicking the toggle switch labeled "Allow custom app creation" or similar wording.
Step 4: Create a New Custom App or Private App
Click the Create an app button. You'll be prompted to enter an app name. Choose a descriptive name that reflects your integration's purpose—for example, "Inventory Management System" or "Order Automation Tool." This helps you identify the token's purpose later.
Step 5: Configure Admin API Access Scopes
After naming your app, navigate to the Configuration tab. Under Admin API scopes, you'll see a list of available permissions. Carefully select only the scopes your integration requires. For example, if you're building an inventory management tool, select read_products and write_products, but avoid requesting unnecessary scopes like read_customers or write_orders.
Step 6: Save and Review Permissions
Click Save to apply your scope selections. Shopify will display a confirmation screen summarizing the permissions you've granted. Review this carefully to ensure all scopes are appropriate for your use case.
Step 7: Generate Your Access Token
Return to the app's main page and locate the API Credentials section. Here you'll find your:
- API Key (also called Client ID)
- API Secret (also called Client Secret)
- Access Token
Click Reveal token or Generate token to display your access token. This token is sensitive—treat it like a password.
Step 8: Copy and Securely Store Your Token
Copy your access token immediately and store it in a secure location. Never commit tokens to version control systems like GitHub. Use environment variables instead.
# Example: Storing token in .env file (DO NOT commit to version control)
SHOPIFY_ACCESS_TOKEN=shpat_1234567890abcdefghijklmnop
# Example: Using token in a curl request
curl -X GET "https://your-store.myshopify.com/admin/api/2024-01/products.json" \
-H "X-Shopify-Access-Token: shpat_1234567890abcdefghijklmnop"
Step 9: Test Your Token
Verify your token works by making a test API request. Use the curl command above, replacing the placeholder values with your actual store URL and token. A successful response confirms your token is valid and your scopes are correctly configured.
Step 10: Implement Token in Your Application
Integrate your token into your application by loading it from environment variables. Never hardcode tokens directly into your codebase. For example, in Node.js:
const shopifyToken = process.env.SHOPIFY_ACCESS_TOKEN;
const storeUrl = process.env.SHOPIFY_STORE_URL;
async function fetchProducts() {
const response = await fetch(
`https://${storeUrl}/admin/api/2024-01/products.json`,
{
method: 'GET',
headers: {
'X-Shopify-Access-Token': shopifyToken,
'Content-Type': 'application/json'
}
}
);
return response.json();
}
Using GetShopifyToken (Faster Method)
If you find the manual process time-consuming or complex, https://getshopifytoken.com automates the Shopify token generation process. This platform streamlines the steps outlined above, allowing you to generate and manage tokens quickly without navigating multiple Shopify dashboard screens. It's particularly useful for developers managing multiple stores or those new to Shopify's API ecosystem.
Common Issues
- Token Not Appearing: Ensure you've saved your app configuration and assigned at least one API scope. Tokens only generate when scopes are active.
- Permission Denied Errors: Verify your token includes the necessary scopes for the API endpoint you're accessing. Check the error message to identify missing permissions.
- Token Expired: Shopify access tokens don't expire naturally, but they're revoked if you deactivate the app. Keep your app active if you need continued access.
- Invalid Store URL: Double-check your store URL format. It should be:
your-store.myshopify.comwithout https:// or trailing slashes in most API contexts. - Rate Limiting: If you exceed Shopify's API rate limits, requests will be rejected. Implement exponential backoff retry logic in your application.
- Scope Mismatch: If your app needs additional permissions later, return to Configuration, add the scopes, save, and regenerate the token.
- Development Store Restrictions: Some features aren't available in development stores. If testing production features, use a live store instead.
Security Best Practices
When working with Shopify access tokens, prioritize security at every step. Store tokens in environment variables, not in code. Use different tokens for development, staging, and production environments. Regularly audit your connected apps and revoke tokens for integrations you no longer use. Monitor API logs for unusual activity that might indicate compromised credentials. Finally, never share your token via email or unencrypted channels.
Related Guides
- How to Revoke a Shopify Access Token and Disconnect Apps
- Shopify Admin API Authentication Methods in 2026
- Building Custom Apps with Shopify: A Complete Developer Guide
Frequently Asked Questions
Q: Can I use the same access token for multiple applications?
Technically yes, but it's not recommended. Each application should have its own token and scopes. This follows security best practices and makes it easier to manage permissions and revoke access if needed. If one application is compromised, you'd only need to regenerate that specific token rather than affecting all integrations.
Q: How long does a Shopify access token remain valid?
Shopify access tokens don't have an expiration date. They remain valid indefinitely until you explicitly revoke them by deactivating the associated app. This is different from OAuth tokens in some other platforms that may require periodic refreshing. However, it underscores the importance of keeping your tokens secure—a leaked token provides permanent access until revoked.
Q: What's the difference between a custom app token and an OAuth token?
Custom app tokens are generated directly in your Shopify admin for private integrations specific to your store. OAuth tokens are used by public apps that multiple Shopify merchants can install. For most store owners and individual developers, custom app tokens are the appropriate choice. OAuth is necessary if you're building a public app for distribution through the Shopify App Store.
Q: Can I regenerate my access token if I forget to save it?
Yes. Return to your app's Configuration page in the Shopify admin, and click "Regenerate" or "Reveal token" again. Keep in mind that regenerating a token invalidates the previous one, so any applications using the old token will stop working until you update them with the new token.