How to Get a Shopify Access Token for Custom App Development
A Shopify access token is a critical credential that allows your applications to interact with your Shopify store's data and functionality. Whether you're building a custom app, integrating third-party services, or automating store operations, understanding how to generate and manage access tokens is essential for secure and efficient API access in 2026.
In this comprehensive guide, we'll walk you through the exact process of obtaining a Shopify access token, explain the required API scopes, troubleshoot common issues, and show you how to streamline the entire process using automated solutions.
What You Need
- A Shopify store (any plan: Basic, Shopify, Advanced, or Plus)
- Admin access to your Shopify store dashboard
- A custom app already created or ready to create in your store settings
- Understanding of which API scopes your application requires
- A secure method to store and manage your token (environment variables recommended)
- Basic knowledge of REST APIs or GraphQL (depending on your use case)
- HTTPS capability for your application or development environment
Required API Scopes
API scopes define what permissions your access token has. You must request only the scopes your application needs. Here are the most commonly used scopes for typical custom app development:
| Scope | What It Allows |
|---|---|
| read_products | Read access to product data, including titles, descriptions, images, and variants |
| write_products | Create, modify, and delete products and product variants in your store |
| read_orders | View order information including customer details, line items, and order status |
| write_orders | Create, modify, and manage orders, fulfillments, and order transactions |
| read_inventory | Access inventory levels and stock status across locations |
| write_inventory | Modify inventory levels, create inventory items, and adjust stock quantities |
| read_customers | Retrieve customer information, addresses, and customer data |
| write_customers | Create and update customer information and customer accounts |
Step-by-Step Guide
Step 1: Log Into Your Shopify Admin Dashboard
Navigate to your Shopify store's admin panel by visiting https://admin.shopify.com (or https://[yourstore].myshopify.com/admin for older stores). Log in with your credentials and ensure you have administrative privileges.
Step 2: Navigate to the Apps and Integrations Section
In the Shopify admin sidebar, scroll down and look for "Apps and integrations" or "Apps." Click on this section to expand the menu. You should see options including "Manage private apps" or "Develop apps."
Step 3: Create a New Custom App
Click on "Create an app" or "Develop apps" button. In the dialog that appears, enter a name for your custom app (e.g., "My Inventory Sync" or "Custom Analytics Tool"). You may also be asked to provide information about the app's purpose. Fill in the required details and click "Create."
Step 4: Set Up Admin API Credentials
Once your app is created, you'll be taken to the app's configuration page. Look for the "Configuration" or "Admin API" section. Here you need to:
- Review the API version being used (typically the latest available in 2026)
- Define which API scopes your app requires based on its functionality
- Check the boxes next to each scope your app needs
For example, if you're building an inventory management tool, you'd select both "read_inventory" and "write_inventory" scopes. Be conservative—only request scopes you actually need.
Step 5: Save and Install the App
After selecting your required scopes, click "Save" to save the configuration. You'll then see an "Install app" or "Activate" button. Click this to generate your access token.
Step 6: Retrieve and Secure Your Access Token
Shopify will now display your access token on the screen. This is a long string of characters that looks something like:
shpat_1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6pIMPORTANT SECURITY NOTE: This is the only time Shopify will display your token in plain text. Copy it immediately and store it securely. Never share this token or commit it to version control. Use environment variables instead:
export SHOPIFY_ACCESS_TOKEN="shpat_1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p"
export SHOPIFY_STORE_NAME="yourstore.myshopify.com"Step 7: Test Your Token with an API Call
Verify your token works by making a test API call. Here's a curl example using the REST API to fetch your shop information:
curl -X GET "https://yourstore.myshopify.com/admin/api/2025-01/shop.json" \
-H "X-Shopify-Access-Token: shpat_1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p"If successful, you'll receive a JSON response with your shop details. If you receive a 401 Unauthorized error, double-check that your token is correct and that the app has the appropriate scopes.
Step 8: Implement Token Rotation and Expiration Handling
In 2026, Shopify recommends implementing token rotation practices. Set calendar reminders to refresh your token periodically (at least annually), and always have a process in place to handle token expiration gracefully in your application. Log errors appropriately so you know immediately if authentication fails.
Using GetShopifyToken (Faster Method)
While the manual process above works perfectly, it involves multiple steps navigating Shopify's dashboard. If you're managing multiple stores or want to streamline token generation, GetShopifyToken.com provides an automated solution that handles much of this process for you.
By using https://getshopifytoken.com, you can generate tokens more efficiently while maintaining the same security standards. This is particularly useful if you're a Shopify agency managing tokens for multiple client stores or if you need to regenerate tokens frequently for development purposes.
The platform abstracts away the dashboard navigation while still requiring you to define your required scopes and maintain security best practices—making it a valuable time-saving tool for developers.
Common Issues
- 401 Unauthorized Error: Your token has expired, is incorrect, or doesn't have the required scopes. Verify you're using the exact token Shopify provided and that your app has the necessary permissions selected.
- Invalid API Scope: You've requested a scope that doesn't exist or isn't available for your plan. Check Shopify's current API documentation to ensure scope names are correct and available in your store plan.
- Token Not Displaying After Installation: Refresh your browser page or clear your cache. If still missing, delete the app and create a new one—Shopify will generate a fresh token.
- CORS (Cross-Origin) Errors: Direct API calls from browser JavaScript may be blocked. Always make API calls from your server-side backend, never from client-side code.
- Rate Limiting Errors (429): You've exceeded Shopify's API rate limits. Implement exponential backoff retry logic and space out your requests appropriately.
- Missing Scopes Error: Your API call requires a scope your app doesn't have. Go back to your app configuration, add the needed scope, save, and reinstall the app to get a new token.
- Token Appears in Version Control: If you accidentally commit a token to Git, immediately regenerate it in your Shopify admin. Leaked tokens should never be reused.
Related Guides
- How to Use Shopify GraphQL API with Your Access Token
- Best Practices for Securing Shopify API Credentials and Tokens
- Shopify OAuth vs. Custom App Tokens: Which Should You Use?
- Automating Shopify Operations: A Complete API Integration Tutorial
Frequently Asked Questions
Q: Do I need a different token for REST API vs. GraphQL API?
No. A single Shopify access token works for both REST API and GraphQL API. The token is the same; you just use it differently depending on which API type you're calling. Include it in the "X-Shopify-Access-Token" header for REST calls or in the "Authorization" header for GraphQL queries.
Q: How long is a Shopify access token valid for?
As of 2026, Shopify access tokens don't have a built-in expiration date—they remain valid indefinitely until you manually revoke them or delete the app. However, best practice is to rotate your tokens annually and always handle potential 401 errors gracefully in case a token is ever deactivated.
Q: Can I have multiple access tokens for the same store?
Yes. You can create multiple custom apps in your Shopify admin, each with its own access token. This is useful for separating concerns—for example, having one token with only read_products scope for a public-facing tool and another with write_orders scope for internal operations.
Q: Is it safe to include my Shopify token in environment variables?
Yes, using environment variables is the recommended approach. Store tokens in .env files (never committed to Git), or better yet, use your server's secure environment configuration, secrets manager, or encrypted credential storage. Never hardcode tokens directly in your application source code.
Q: What's the difference between a custom app token and an OAuth token?
Custom app tokens are for private applications you control and use yourself. They're simpler to set up and manage. OAuth tokens are for public apps distributed to multiple stores—they follow a user authorization flow where store owners grant permission. For most development purposes, custom app tokens are the right choice.