How to Get a Shopify Access Token for Custom App Installation
Installing a custom app in Shopify requires proper authentication, and at the heart of that authentication is your Shopify access token. Whether you're developing a private application, integrating third-party services, or building a custom solution for your store, understanding how to obtain and use a Shopify access token is essential. This comprehensive guide will walk you through the entire process of installing a custom app in Shopify and generating the access tokens you need.
What You Need
- A Shopify store (any plan that allows custom apps)
- Admin access to your Shopify store
- Understanding of API basics and authentication protocols
- A development environment or text editor for managing tokens securely
- Knowledge of the specific API scopes your custom app requires
- HTTPS connection (required for secure token transmission)
- Backup storage for sensitive credentials (secure vault or environment variables)
Required API Scopes
API scopes define what permissions your custom app has within your Shopify store. Before creating your access token, you must specify which scopes your application needs. Here are the most common scopes for custom app installations:
| Scope | What It Allows |
|---|---|
| read_products | View product data, including titles, descriptions, prices, and inventory levels |
| write_products | Create, modify, and delete products in your store |
| read_orders | Access order information, customer details, and transaction history |
| write_orders | Create and modify orders, including fulfillment and payment details |
| read_customers | View customer data, addresses, and account information |
| write_customers | Create and update customer records and customer groups |
| read_inventory | Access inventory levels and stock information |
Step-by-Step Guide
Follow these detailed steps to install a custom app and obtain your Shopify access token:
Step 1: Log In to Your Shopify Admin Dashboard
Navigate to your Shopify store's admin panel by visiting https://your-store-name.myshopify.com/admin. Log in with your credentials and ensure you have administrative privileges.
Step 2: Access the Apps and Integrations Section
In the left sidebar of your Shopify admin, look for the "Apps and integrations" option. Click on it to expand the menu. This is where you'll manage all applications connected to your store, including custom apps.
Step 3: Navigate to Develop Apps
Within the Apps and integrations section, you'll see an option for "Develop apps." Click this to access Shopify's custom app development interface. If you don't see this option, you may need to enable it by clicking "Allow custom app development" first.
Step 4: Create a New App
Click the "Create an app" button. A dialog box will appear asking for your app name. Enter a descriptive name for your custom app—something like "Inventory Sync Tool" or "Order Management System." Click "Create app" to proceed.
Step 5: Define Your API Scopes
Once your app is created, navigate to the "Configuration" section. Under "Admin API scopes," you'll see a list of available permissions. Select only the scopes your application needs. For example, if you're building an inventory management tool, you might select read_inventory and write_inventory. Always follow the principle of least privilege—only request the permissions your app actually needs.
Step 6: Save Your Scope Configuration
After selecting your required scopes, click "Save" to apply these settings. Shopify will confirm that your API scope configuration has been updated.
Step 7: Generate Your Access Token
Now for the critical part: generating your access token. Navigate to the "API credentials" tab within your app settings. You'll see a section labeled "Admin API access token." Click "Reveal token" to generate and display your access token. This is a long string of characters that authenticates your app to Shopify's API.
Step 8: Securely Store Your Access Token
Copy your access token immediately and store it in a secure location. Never share this token or commit it to version control systems like GitHub. Use environment variables or secure vault systems to manage this sensitive credential. Your token should be treated with the same security as a password.
Step 9: Test Your Connection
To verify your token works correctly, you can make a test API call. Here's a curl example that retrieves your shop information:
curl -X GET "https://your-store-name.myshopify.com/admin/api/2024-01/shop.json" \
-H "X-Shopify-Access-Token: your_access_token_here"Replace your-store-name with your actual store name and your_access_token_here with the token you just generated. If successful, you'll receive a JSON response containing your shop information.
Step 10: Install and Configure Your Custom App
Once your token is generated and tested, install your custom app by uploading it to your hosting server or deployment platform. Configure the app to use your access token (stored securely as an environment variable). Your app can now authenticate with the Shopify API and perform the actions defined by your selected scopes.
Using GetShopifyToken (Faster Method)
If you want to streamline the process of obtaining Shopify access tokens, consider using getshopifytoken.com. This platform automates much of the token generation process, reducing the number of manual steps and potential configuration errors. While the manual process outlined above gives you complete control, getshopifytoken.com can accelerate your setup significantly, especially if you're managing multiple stores or frequently creating new custom apps.
Common Issues
- Token Not Appearing: If your access token doesn't appear after clicking "Reveal token," try refreshing the page or clearing your browser cache. Sometimes the UI requires a refresh to display the token.
- 401 Unauthorized Errors: This typically means your token is invalid, expired, or has insufficient permissions. Double-check that you've copied the token correctly and that it includes all necessary scopes for your API request.
- Insufficient Scope Errors: If your API calls return "insufficient scope" errors, return to your app configuration and add the missing scopes. Remember to save your changes.
- Token Accidentally Exposed: If you accidentally share your token publicly, immediately regenerate it by clicking "Rotate credentials" in your app settings. The old token will become invalid.
- App Development Disabled: Some Shopify plans or store accounts have custom app development disabled by default. Contact Shopify support or your store owner to enable this feature.
- API Rate Limiting: If you receive rate limit errors (429 status codes), your app is making too many API calls. Implement backoff strategies and optimize your API usage patterns.
- HTTPS Requirements: Shopify API only accepts requests from HTTPS endpoints. Ensure your application uses secure connections.
Related Guides
- How to Use Shopify GraphQL Admin API with Your Access Token
- Best Practices for Securing Your Shopify API Credentials
- Setting Up Webhook Subscriptions for Your Custom Shopify App
Frequently Asked Questions
Q: Can I use the same access token for multiple custom apps?
Technically, you could share a token between apps, but this is not recommended. Best practice dictates creating separate tokens for each application or integration. This way, if one token is compromised, you only need to regenerate credentials for that specific app, not all of them. It also helps with monitoring and auditing which app is making which API calls.
Q: How often do I need to refresh my Shopify access token?
Unlike some OAuth tokens that expire after a set period, Shopify access tokens for custom apps do not expire automatically. They remain valid indefinitely until you manually regenerate or revoke them. However, it's good security practice to periodically rotate your tokens, especially if you suspect any compromise or if an employee with access leaves your organization.
Q: What's the difference between private apps and custom apps in Shopify?
As of 2024-2025, Shopify has transitioned away from the "private app" terminology toward the more general "custom app" designation. Custom apps are the current standard for internal integrations and tools. They work with both REST and GraphQL APIs and offer the same robust security features. If you're using an older Shopify store that still references "private apps," the functionality is essentially equivalent to custom apps.
Q: Can I view my access token after I've closed the dialog?
No, Shopify does not display your access token again after the initial generation. If you didn't copy it, you must regenerate it. This is a security feature to prevent unauthorized token exposure. Always copy and securely store your token immediately upon generation.
Q: What should I do if my access token is compromised?
Immediately navigate to your custom app's API credentials section and click "Rotate credentials." This will invalidate your current token and generate a new one. Update your application to use the new token right away. Consider auditing your API access logs to see if the compromised token was used to perform unauthorized actions.