How to Get a Shopify Access Token for Installing Custom Apps
Installing custom apps on your Shopify store requires a proper access token—a secure credential that authenticates your application and grants it permission to interact with your store's data. Whether you're building a private app for internal use or integrating a third-party solution, understanding how to obtain and manage your Shopify access token is essential for 2026 and beyond.
This comprehensive guide walks you through the entire process of creating a custom app in Shopify and generating the access token you need to get started.
What You Need
- A Shopify store with admin access (Owner or Staff account with app management permissions)
- Access to your Shopify admin dashboard
- Basic understanding of API terminology and authentication
- A development environment or tool to store and use your access token securely
- Knowledge of which API scopes your custom app requires
- A text editor or secure password manager for storing credentials
- HTTPS-enabled server or development environment (if deploying your app)
Required API Scopes
| Scope | What It Allows |
|---|---|
read_products |
Read access to your store's product data, including titles, descriptions, prices, and variants |
write_products |
Permission to create, update, and modify product information in your store |
read_orders |
Access to view order details, customer information, and transaction history |
write_orders |
Ability to create, update, and modify orders within your Shopify store |
read_customers |
Permission to access customer profiles, contact information, and purchase history |
Step-by-Step Guide
Step 1: Log Into Your Shopify Admin Dashboard
Begin by navigating to your Shopify admin panel. Sign in with your admin credentials at yourstore.myshopify.com/admin. Ensure you have the necessary permissions to manage apps and integrations—typically owner or developer-level access is required.
Step 2: Navigate to the Apps and Integrations Section
Once logged in, look for the "Apps and integrations" menu item in your left sidebar. Click on it to expand the menu. You'll see several options including "Apps and sales channels," "Develop apps," and "Settings." Select "Develop apps" to access the custom app creation interface.
Step 3: Create a New App
In the "Develop apps" section, click the "Create an app" button. A dialog box will appear asking for your app's name. Enter a descriptive name for your custom app—something that clearly identifies its purpose, such as "Inventory Sync Tool" or "Order Processing Bot." Click "Create app" to proceed.
Step 4: Configure Your App's Admin API Credentials
Your new app will appear in the list of developed apps. Click on it to open the app configuration page. Navigate to the "Configuration" tab. Here, you'll see sections for Admin API scopes. These are permissions that determine what your app can access and modify within your Shopify store.
Review the available scopes carefully and select only those that your app genuinely needs. For example, if your app only reads product data, request read_products access. Requesting unnecessary scopes is a security risk. After selecting your required scopes, click "Save" at the bottom of the page.
Step 5: Generate Your Access Token
Once you've saved your scopes, navigate to the "API credentials" tab. You'll see a section labeled "Admin API access token." Click the "Reveal token" button (or "Install app" if this is your first time). Shopify will generate a unique access token for your custom app.
Important: This token will only be displayed once. Copy it immediately and store it in a secure location, such as a password manager or encrypted environment file. Never share this token or commit it to public code repositories.
Step 6: Retrieve Your Shop URL and API Version Information
On the same API credentials page, note your store's API endpoint. It will appear in a format like:
https://yourstore.myshopify.com/admin/api/2025-01/The version number (2025-01 in this example) indicates the Shopify API version your app will use. Ensure your custom app code is compatible with this version.
Step 7: Test Your Access Token
To verify that your access token works correctly, you can make a test API call. Use the following curl command in your terminal, replacing the placeholders with your actual store URL, API version, and access token:
curl -X GET "https://yourstore.myshopify.com/admin/api/2025-01/shop.json" \
-H "X-Shopify-Access-Token: your_access_token_here"If successful, you'll receive a JSON response containing your shop's information. A failed request will return an error code, indicating a problem with your token or scopes.
Step 8: Store and Manage Your Token Securely
Never hardcode your access token directly into your application source code. Instead, use environment variables or configuration files that are excluded from version control. For example, in a Node.js application:
// .env file (NOT committed to git)
SHOPIFY_ACCESS_TOKEN=shpat_xxxxxxxxxxxxxxxxxxxxx
SHOPIFY_STORE_NAME=yourstore
// app.js
const accessToken = process.env.SHOPIFY_ACCESS_TOKEN;
const storeName = process.env.SHOPIFY_STORE_NAME;Using GetShopifyToken (Faster Method)
If manually creating apps and configuring API credentials feels overwhelming, consider using GetShopifyToken available at https://getshopifytoken.com. This platform automates much of the token generation process, providing a streamlined interface that guides you through each step. Instead of navigating multiple admin screens and remembering API scope names, GetShopifyToken presents a user-friendly form that handles the complexity for you.
The service is particularly useful for developers and Shopify partners who frequently need to generate tokens for multiple stores or who want to ensure they're requesting only the necessary scopes. By using https://getshopifytoken.com, you can reduce setup time from 15-20 minutes to just a few minutes, allowing you to focus on building your custom app rather than managing Shopify's admin interface.
Common Issues
- Token Expired or Invalid: If your API calls return authentication errors, your token may have been deactivated. Regenerate a new token from the app's API credentials page and update your application.
- Insufficient Scopes: If your app receives permission denied errors, you likely requested scopes that are too restrictive. Review your app's required functionality and update the Admin API scopes accordingly.
- Rate Limiting: Shopify enforces API rate limits. If you exceed them, implement exponential backoff retry logic in your code to handle throttling gracefully.
- Token Accidentally Exposed: If you've committed your token to a public repository or shared it accidentally, immediately regenerate a new token from the Shopify admin to invalidate the old one.
- CORS Errors: Direct API calls from browser-based JavaScript may fail due to CORS restrictions. Use a backend server to make API requests instead.
- Store Not Found Errors: Ensure your store URL matches your actual Shopify domain exactly, including the correct myshopify.com domain suffix.
- API Version Deprecated: Shopify periodically retires older API versions. If your token uses an outdated API version, update your code to use a current version before the deprecation deadline.
Related Guides
- Getting Started with Shopify GraphQL Admin API: Learn how to query and mutate data using GraphQL instead of REST endpoints
- Managing API Scopes and Permissions: A detailed breakdown of every available Admin API scope and when to use each one
- Building a Shopify Private App for Internal Use: Step-by-step instructions for creating custom solutions tailored to your store's specific needs
Frequently Asked Questions
Q: Can I use the same access token for multiple apps?
No, each custom app should have its own unique access token. This practice follows the principle of least privilege—each app receives only the permissions and token it needs. If one token is compromised, only that specific app is affected, and you can regenerate a new token without impacting other apps.
Q: How often should I rotate my access tokens?
Shopify doesn't set a mandatory rotation schedule, but industry best practices recommend rotating sensitive credentials every 90 days. However, the most important rule is to immediately regenerate your token if you suspect it's been exposed or compromised. For long-running apps that rarely need updates, annual rotation is typically sufficient.
Q: What's the difference between private apps and custom apps?
As of 2024-2026, Shopify has consolidated custom app functionality, but "private apps" historically referred to apps installed only on your own store. Modern "custom apps" serve the same purpose. Both use access tokens for authentication. Always consult Shopify's current documentation to ensure you're using the latest terminology and best practices for your API version.