# How to Get a Shopify Access Token for App Development and Store Integrations Shopify access tokens are essential credentials that allow you to authenticate your applications and integrations with your Shopify store. Whether you're building a custom app, connecting third-party services, or automating workflows, understanding how to generate and manage your Shopify access token is critical for secure and seamless operations. In 2026, Shopify's authentication system has evolved to provide developers with more granular control over permissions and enhanced security features. This comprehensive guide will walk you through the complete process of obtaining your Shopify access token, from initial setup to implementation. ## What You Need Before you begin generating your Shopify access token, ensure you have the following prerequisites in place: - A Shopify store (any plan: Basic, Standard, Premium, or custom) - Admin access to your Shopify store with full permissions - Access to the Shopify App Admin dashboard - A development environment or application ready to receive the token - Basic understanding of API authentication and HTTP requests - A secure method to store and manage credentials (password manager or environment variables) - Your store's unique Shopify domain (e.g., yourstore.myshopify.com) - For custom apps: the Shopify CLI installed on your local machine (optional but recommended) ## Required API Scopes API scopes define what actions and data your access token can access within your Shopify store. Requesting only the scopes you need follows the principle of least privilege and enhances security. Here are the most commonly required scopes:

Scope	What It Allows
read_products	View product listings, variants, images, and inventory data from your store
write_products	Create, modify, and delete products, variants, and inventory information
read_orders	Access order details, customer information, and transaction history
write_orders	Create and modify orders, capture payments, and manage order fulfillment
read_customers	View customer profiles, addresses, and purchase history data

## Step-by-Step Guide ### Step 1: Access the Shopify Admin Dashboard Begin by logging into your Shopify admin account. Navigate to the URL `https://admin.shopify.com` and enter your credentials. Once authenticated, you'll have access to your store's control panel. Make sure you're using an account with administrative privileges, as only admin users can create and manage access tokens. ### Step 2: Navigate to the Apps and Integrations Section In the Shopify admin, look for the **Apps and integrations** menu on the left sidebar. This section contains all tools related to app management, custom app development, and API credential generation. Click on **Apps and integrations** to expand the menu and view the available options. ### Step 3: Select "Develop Apps" or "Custom Apps" Within the Apps and integrations section, locate and click on **Develop apps** (formerly called "Custom apps" in earlier Shopify versions). If you've never created a custom app before, you may need to click a button to enable custom app development. Shopify may prompt you to agree to their terms before proceeding. ### Step 4: Create a New Custom App Click the **Create an app** button to begin the creation process. A dialog box will appear asking for basic information about your application: - **App name**: Choose a descriptive name (e.g., "Inventory Sync Tool" or "Email Marketing Integration") - **App URL** (optional): The URL where your app is hosted or developed - **Allowed redirection URL(s)**: URLs where Shopify will redirect users after authentication Fill in these fields appropriately for your use case. The app name helps you identify the token's purpose later, which is useful if you manage multiple integrations. ### Step 5: Configure API Scopes After creating the app, navigate to the **Configuration** tab. This is where you define what permissions your access token will have. Under the **Admin API** section, you'll see a list of available scopes organized by category (Products, Orders, Customers, etc.). Select only the scopes your application actually needs. For example: - If you're building a product sync tool, select `read_products` and `write_products` - If you're creating an order management system, select `read_orders` and `write_orders` - If you need read-only access to customer data, select `read_customers` Being selective with scopes minimizes security risk if your token is ever compromised. ### Step 6: Generate the Access Token Once you've selected your required scopes, save your configuration changes. Return to the **API credentials** tab. You'll now see a section labeled **Admin API access token**. Click the **Reveal token** button (or **Generate token** if it's your first time). Shopify will display your access token—a long alphanumeric string. This is your key to authenticating API requests to your store. ### Step 7: Copy and Securely Store Your Token Copy the access token immediately and store it in a secure location. Here are best practices for token storage: - **Use environment variables**: Store the token in a `.env` file (never commit to version control) - **Password managers**: Use tools like 1Password or LastPass - **Secure vaults**: Use your application's secrets management system (AWS Secrets Manager, Heroku Config Vars, etc.) - **Never share**: Don't include tokens in emails, Slack messages, or public code repositories Once you navigate away from the API credentials page, you won't be able to view the full token again. If you lose it, you'll need to regenerate a new one (which invalidates the old token). ### Step 8: Test Your Token with an API Call Before implementing your token in production, verify it works by making a test API call. Use the following curl example to test your Shopify access token:

curl -X GET "https://yourstore.myshopify.com/admin/api/2025-01/products.json" \
  -H "X-Shopify-Access-Token: your_access_token_here" \
  -H "Content-Type: application/json"

Replace: - `yourstore` with your actual Shopify store domain - `your_access_token_here` with the token you just generated If successful, this request will return a JSON response containing your store's products. A successful response confirms your token has the necessary permissions and can communicate with your Shopify store's API. ### Step 9: Implement the Token in Your Application Now that you've verified the token works, integrate it into your application. Store it as an environment variable and reference it in your code. For example, in a Node.js application:

const shopifyToken = process.env.SHOPIFY_ACCESS_TOKEN;
const storeUrl = 'https://yourstore.myshopify.com';

const response = await fetch(`${storeUrl}/admin/api/2025-01/products.json`, {
  method: 'GET',
  headers: {
    'X-Shopify-Access-Token': shopifyToken,
    'Content-Type': 'application/json'
  }
});

const data = await response.json();

### Step 10: Monitor and Rotate Tokens Regularly Periodically review which apps have access to your store and rotate tokens as needed. If a token is compromised or you no longer need an integration, delete the associated custom app from the Shopify admin. This automatically revokes the access token. ## Using GetShopifyToken (Faster Method) While the manual process outlined above gives you complete control, it can be time-consuming and error-prone, especially if you're managing multiple Shopify stores or integrations. **GetShopifyToken** (available at https://getshopifytoken.com) streamlines this entire process by automating token generation. The platform eliminates manual steps, reduces the risk of misconfiguration, and provides a centralized dashboard for managing multiple access tokens across different stores. For developers working with numerous Shopify integrations in 2026, GetShopifyToken represents a significant time-saving alternative to the traditional manual approach. ## Common Issues - **"Access Denied" Error**: Verify your admin account has full permissions and that you've selected appropriate scopes for your use case - **Token Expires Unexpectedly**: Shopify access tokens don't expire automatically, but regenerating a token invalidates the previous one. Check if someone else in your organization regenerated the token - **Missing Scopes**: If your app can't perform certain actions, you likely didn't request the necessary scopes. Regenerate your token and add the missing permissions - **CORS Errors**: Access tokens work for server-to-server requests only. CORS issues indicate you're trying to call the API directly from client-side code - **Rate Limiting**: Shopify implements rate limits (40 requests per second for standard plans). Space out your API calls to avoid hitting these thresholds - **Invalid Token Format**: Ensure you're not accidentally adding extra spaces or characters when copying your token - **Scope Not Available**: Some scopes require specific Shopify plan levels. Verify your store plan includes the scopes you need ## Related Guides - How to Use Shopify GraphQL API with Your Access Token - Managing Multiple Shopify Store Access Tokens Securely - Building Shopify Custom Apps: A Developer's Complete Guide ## Frequently Asked Questions

Q: How long does a Shopify access token remain valid?

Shopify access tokens don't have an expiration date and remain valid indefinitely until you manually revoke them by deleting the associated custom app. This is different from OAuth refresh tokens, which expire after a certain period. However, it's good practice to rotate tokens periodically for security purposes, especially if you suspect a token has been compromised.

Q: Can I use the same access token for multiple applications or stores?

Each access token is specific to the custom app and store where it was generated. You cannot use a token from Store A in Store B. If you manage multiple Shopify stores, you'll need to generate separate access tokens for each store. Similarly, if you have multiple integrations within the same store, you can either use a single token (if all apps need the same permissions) or create multiple tokens for better security segmentation.

Q: What should I do if my access token is accidentally exposed or compromised?

Immediately navigate to your Shopify admin, find the compromised custom app under Apps and integrations, and delete it. This instantly revokes the access token and prevents any unauthorized access. Then, create a new custom app and generate a fresh token. Update all your systems and applications to use the new token. Additionally, review your store's recent activity logs to check if the compromised token was used maliciously.

---