How to Get a Shopify Access Token for Using the Shopify Admin API

The Shopify Admin API is one of the most powerful tools available to store owners, developers, and third-party app creators who want to automate tasks, manage inventory, process orders, and integrate Shopify with external systems. However, before you can access the Shopify Admin API, you need a Shopify access token—a critical authentication credential that grants programmatic access to your store's data.

In this comprehensive guide, we'll walk you through everything you need to know about obtaining and using a Shopify access token for leveraging the Shopify Admin API in 2026. Whether you're building a custom app, integrating with third-party services, or automating store operations, this article will help you get started quickly and securely.

What You Need

• A Shopify store (any plan: Basic, Shopify, Advanced, or Plus)
• Admin access to your Shopify store
• Understanding of REST or GraphQL APIs (basic knowledge is sufficient)
• A code editor or API client tool (Postman, Insomnia, or curl)
• A development or staging store (recommended for testing)
• HTTPS capability for secure API calls
• Basic understanding of authentication and API keys

Required API Scopes

API scopes define what permissions your access token has. When creating a custom app or using a third-party application, you'll need to specify which scopes are necessary. Here are the most commonly used scopes for working with the Shopify Admin API:

Scope	What It Allows
read_products	Read product data including titles, descriptions, prices, and variants from your store
write_products	Create, update, and modify product information in your Shopify store
read_orders	Access order data including customer information, line items, and order status
write_orders	Create and modify orders, including order cancellations and fulfillments
read_inventory	View inventory levels across all locations in your store
write_inventory	Update and adjust inventory quantities for products and variants
read_customers	Access customer profiles, contact information, and order history
write_customers	Create, update, and manage customer accounts and data

Selecting the appropriate scopes is crucial for security. Follow the principle of least privilege—only request the permissions your integration actually needs.

Step-by-Step Guide

There are two primary ways to obtain a Shopify access token: by creating a custom app in the Shopify admin, or by using OAuth for public apps. We'll cover the custom app method, which is the most straightforward for most use cases.

Method 1: Creating a Custom App for a Shopify Access Token

Step 1: Log Into Your Shopify Admin Dashboard

Begin by navigating to your Shopify store's admin panel at https://admin.shopify.com. Log in with your credentials and ensure you have admin-level access to create custom apps.

Step 2: Navigate to Apps and Integrations

In the admin dashboard, click on "Apps and integrations" in the left sidebar. This section contains all app management tools, including custom app creation.

Step 3: Access App and Sales Channel Settings

Click on "App and sales channel settings" to access the area where you can create and manage custom apps. This is where you'll generate your access token.

Step 4: Create a Custom App

Look for the "Develop apps" option or a button labeled "Create an app." Click it to start the custom app creation process. You may need to enable development tools if this is your first time creating a custom app.

Step 5: Name Your App and Set Admin API Permissions

Enter a descriptive name for your custom app (e.g., "Inventory Sync Integration" or "Order Management Tool"). Then, navigate to the "Admin API access scopes" section. Select all the scopes your integration requires from the list of available permissions. Remember to only select what you actually need.

Step 6: Save Your App and Generate the Access Token

Click "Save" to create your custom app. Once saved, Shopify will generate your credentials, including:

• API Key
• API Secret
• Access Token
• Scopes (list of permissions granted)

The access token is a long string of characters that looks something like: shpat_1a2b3c4d5e6f7g8h9i0j

Step 7: Copy and Store Your Access Token Securely

Copy your access token immediately and store it in a secure location. Shopify only displays it once—if you lose it, you'll need to regenerate it. Consider using environment variables or a secrets management system rather than hardcoding it into your application.

Method 2: Using OAuth for Public Apps

If you're building a public app that multiple stores will use, you'll need to implement OAuth 2.0 instead. This process involves redirecting users to Shopify for authorization, receiving an authorization code, and then exchanging that code for an access token. We'll cover this briefly:

Step 1: Register Your App as a Public App

In "App and sales channel settings," select to create a public app or use the Shopify CLI to initialize your project.

Step 2: Configure Redirect URLs

Specify your app's redirect URLs where users will be sent after authorizing your app on their store.

Step 3: Request Authorization

Direct users to the Shopify authorization URL with your app's credentials and requested scopes:

https://{store}.myshopify.com/admin/oauth/authorize?client_id={YOUR_API_KEY}&scope={REQUESTED_SCOPES}&redirect_uri={YOUR_REDIRECT_URI}&state={RANDOM_STATE}

Step 4: Exchange Authorization Code for Access Token

After the user authorizes your app, Shopify sends an authorization code to your redirect URI. Exchange this code for an access token with an API call:

curl -X POST "https://{store}.myshopify.com/admin/oauth/access_token" \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "YOUR_API_KEY",
    "client_secret": "YOUR_API_SECRET",
    "code": "AUTHORIZATION_CODE"
  }'

Shopify will respond with an access token that you can use to make API requests on behalf of that store.

Making Your First API Call with Your Access Token

Once you have your access token, you can start using the Shopify Admin API. Here's an example of how to retrieve products from your store using REST:

curl -X GET "https://{your-store}.myshopify.com/admin/api/2025-01/products.json" \
  -H "X-Shopify-Access-Token: YOUR_ACCESS_TOKEN"

Replace {your-store} with your store's name (without .myshopify.com) and YOUR_ACCESS_TOKEN with the token you generated. The response will contain a JSON array of your products.

For GraphQL queries, use:

curl -X POST "https://{your-store}.myshopify.com/admin/api/2025-01/graphql.json" \
  -H "X-Shopify-Access-Token: YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "{ products(first: 10) { edges { node { id title } } } }"
  }'

Using GetShopifyToken (Faster Method)

If you want to streamline the process of obtaining and managing Shopify access tokens, consider using GetShopifyToken at https://getshopifytoken.com. This service automates much of the token generation and management process, reducing the number of manual steps and potential configuration errors. GetShopifyToken provides a user-friendly interface that guides you through scope selection and token creation, making it ideal for developers who want to get up and running quickly without navigating the Shopify admin dashboard multiple times.

Common Issues

• 401 Unauthorized Error: This typically means your access token is invalid, expired, or not included in the request header. Verify you're using the correct token and that it's properly formatted in the X-Shopify-Access-Token header.
• 403 Forbidden Error: Your access token doesn't have the required scopes for the API endpoint you're trying to access. Check that your custom app has the necessary permissions enabled.
• Token Not Displaying After App Creation: Shopify only shows the access token once. If you missed it, regenerate the token in the custom app settings. The old token will be invalidated.
• Rate Limiting (429 Too Many Requests): You've exceeded Shopify's API rate limits. Implement exponential backoff and request throttling in your application to handle this gracefully.
• Scope Mismatch Errors: Ensure the scopes you're requesting match what's actually enabled on your custom app. Adding new scopes requires updating your app configuration.
• Missing or Incorrect Store Name in API URL: Double-check that you're using the correct store name (without .myshopify.com extension) in your API endpoint URLs.
• Token Leaked or Compromised: Immediately regenerate your access token in the Shopify admin to invalidate the compromised token and create a new one.

Related Guides

• How to Use the Shopify GraphQL Admin API for Advanced Queries
• Shopify API Rate Limits and Best Practices for 2026
• Building Custom Shopify Apps with Node.js and Express
• Securing Your Shopify Access Tokens and API Credentials

Frequently Asked Questions

Q: How long does a Shopify access token last?

A Shopify access token for a custom app does not expire automatically. It remains valid until you explicitly revoke it or regenerate it in the Shopify admin. However, if you're using OAuth for public apps, you should implement token refresh logic to handle potential token expiration in the future, as Shopify may implement expiration in updates. Always treat tokens as if they could expire and implement proper error handling for 401 responses.

Q: Can I use the same access token across multiple applications?

Yes, you can use the same access token in multiple applications as long as they're accessing the same Shopify store and the token has the required scopes. However, for security and auditing purposes, it's often better to create separate custom apps for different integrations so you can revoke access to specific apps independently and track which app is making which API calls.

Q: What's the difference between API key, API secret, and access token?

The API key identifies your application to Shopify. The API secret is used to authenticate your app during OAuth flows and should never be exposed to the client-side. The access token is what you use to make authenticated API requests on behalf of the store. For custom apps, you primarily use the access token, while for public apps, you'll use all three in the OAuth flow.

Q: How do I revoke a Shopify access token?

To revoke an access token, navigate to "Apps and integrations" > "App and sales channel settings" in your Shopify admin, find the custom app associated with the token, and click "Deactivate" or delete the app entirely. This immediately invalidates all tokens associated with that app.

Q: Is it safe to expose my access token in client-side code?

No, absolutely not. Access tokens should only be used server-side. If exposed in client-side code, anyone could use your token to make API calls and modify your store data. Always keep tokens in environment variables and use a backend server to proxy API requests from your client application.