How to Get a Shopify Access Token for API Integration

A Shopify access token is your gateway to programmatically managing your store's data, products, orders, and customers. Whether you're building a custom app, integrating with third-party tools, or automating business processes, understanding how to obtain and use a Shopify access token is essential. This comprehensive guide will walk you through everything you need to know in 2026.

What You Need

• A Shopify store (any plan: Lite, Basic, Standard, Premium, or Advanced)
• Admin access to your Shopify store dashboard
• The ability to create a custom app or access your app's credentials
• Basic understanding of API concepts and authentication
• A development environment or tool to test API calls (Postman, curl, or your programming language of choice)
• Your Shopify store's domain (example: mystore.myshopify.com)
• Knowledge of which API scopes you need for your specific use case

Required API Scopes

API scopes define what permissions your access token has within your Shopify store. Selecting the correct scopes is crucial for security and functionality. Here are common scopes you might need:

Scope	What It Allows
read_products	Read product data, titles, descriptions, pricing, and variants
write_products	Create, update, and delete products and their variants
read_orders	Access order information, customer details, and fulfillment status
write_orders	Create and modify orders, including fulfillments and refunds
read_customers	View customer profiles, contact information, and purchase history

Step-by-Step Guide

Step 1: Access Your Shopify Admin Dashboard

Log in to your Shopify store's admin panel using your credentials. Navigate to the URL in the format: mystore.myshopify.com/admin. Ensure you have admin-level access, as you'll need permission to create apps and access API credentials.

Step 2: Navigate to Apps and Integrations

In your Shopify admin, look for the "Apps and integrations" or "Apps" section in the left sidebar. This location may vary depending on your Shopify plan and dashboard version. Click on it to proceed to the apps management area.

Step 3: Create a Custom App

Click the "Create an app" or "Develop apps" button. You'll be prompted to enter a name for your app. Choose a descriptive name that reflects its purpose, such as "Inventory Sync Tool" or "Order Export Service". This name will help you identify the app later if you create multiple custom apps.

Step 4: Configure App Permissions and Scopes

After creating your app, navigate to the "Configuration" or "Admin API scopes" section. Here's where you'll select the specific scopes your app needs. Only request the minimum scopes necessary for your use case—this follows the principle of least privilege and improves security. For example:

• If you only need to read product information, select read_products
• If you need to sync orders, select both read_orders and potentially write_orders
• If managing customers, include read_customers and write_customers

Once you've selected your scopes, save the configuration.

Step 5: Generate Your Access Token

Navigate to the "Admin API access tokens" section within your custom app settings. Click "Generate token" or a similar button. Shopify will create a unique access token for your app. This token is displayed only once, so you must copy it immediately and store it securely. Never share this token or commit it to public code repositories.

The token appears in a format like this:

shpat_abcdef123456789abcdef123456789ab

Step 6: Retrieve Your API Credentials

In addition to the access token, you'll need:

• API Key: A public identifier for your app
• API Secret: A secret key used for additional security (store securely)
• Scopes: A list of all permissions your token has
• Webhook Endpoints: URLs where Shopify sends event notifications (if needed)

Copy and store these credentials in a secure location, such as environment variables or a secrets management system.

Step 7: Test Your Access Token with an API Call

Now that you have your access token, test it by making a simple API call. Use curl or your preferred tool to verify the token works:

curl -X GET "https://mystore.myshopify.com/admin/api/2025-01/products.json" \
  -H "X-Shopify-Access-Token: shpat_abcdef123456789abcdef123456789ab"

Replace mystore with your actual store name and shpat_abcdef123456789abcdef123456789ab with your real access token. If successful, you'll receive a JSON response containing your store's products.

Step 8: Implement Authentication in Your Application

Once you've verified your token works, integrate it into your application. Store it as an environment variable rather than hardcoding it:

// Example in Node.js
const accessToken = process.env.SHOPIFY_ACCESS_TOKEN;
const storeUrl = process.env.SHOPIFY_STORE_URL;

async function getProducts() {
  const response = await fetch(`https://${storeUrl}/admin/api/2025-01/products.json`, {
    headers: {
      'X-Shopify-Access-Token': accessToken
    }
  });
  return response.json();
}

Using GetShopifyToken (Faster Method)

If you find the manual process time-consuming or prefer a streamlined approach, getshopifytoken.com offers an automated solution. This service guides you through the process with an intuitive interface, handles the OAuth flow, and securely manages your credentials. Instead of navigating multiple dashboard screens, you can generate and manage your Shopify access tokens more efficiently through their platform at https://getshopifytoken.com. This is particularly useful if you're managing multiple stores or frequently creating new apps.

Common Issues

• "Invalid API Credentials" Error: Verify your access token hasn't expired and is spelled correctly. Regenerate it if necessary.
• "Insufficient Scopes" Message: The token doesn't have permission for the API endpoint you're calling. Add the required scope and regenerate the token.
• Token Not Appearing: Ensure you've saved your scope configuration before attempting to generate the token. Some users miss this critical step.
• 401 Unauthorized Response: Double-check that you're including the token in the correct header: X-Shopify-Access-Token.
• Token Accidentally Exposed: If you've shared your token publicly, immediately regenerate it in your Shopify admin to revoke the old one.
• Rate Limiting: Shopify enforces rate limits on API calls. If you exceed them, wait before retrying requests.
• Store Domain Format Issues: Always use the format store-name.myshopify.com, not custom domains, for API calls.

Related Guides

• Shopify GraphQL Admin API: Advanced querying beyond REST endpoints
• Setting Up Webhooks: Receive real-time notifications of store events
• Building Custom Shopify Apps: A complete development workflow

Frequently Asked Questions

Q: How long does a Shopify access token last?

A Shopify access token does not expire automatically. It remains valid indefinitely until you manually revoke it from your app settings or delete the custom app. However, if your store is inactive for 90 days or if you delete the app, the token becomes invalid. Always monitor your active apps and regenerate tokens if you suspect compromise.

Q: Can I use the same access token across multiple applications?

Technically, yes—you can copy the same token into multiple applications. However, this is not recommended for security reasons. Best practice is to create a separate custom app and access token for each application or integration. This way, if one token is compromised, you only need to revoke that specific token rather than affecting all your integrations.

Q: What's the difference between a private app and a custom app?

As of 2026, Shopify has deprecated private apps in favor of custom apps. Custom apps provide better security features, granular permission controls, and are the recommended approach for generating access tokens. If you still see "private apps" in older documentation, disregard it and use custom apps instead.

Q: Can I rotate or refresh my access token?

Yes. If you want to change your access token without creating a new app, you can regenerate it within your custom app's settings. The old token becomes invalid immediately, so ensure you update your applications before regenerating to avoid downtime.

Q: Is it safe to include my access token in frontend code?

Absolutely not. Access tokens should only be used in backend code or secure server environments. Never expose tokens in client-side JavaScript, mobile apps, or public repositories. Always use environment variables and secure vaults to store sensitive credentials.