Get Your Token →
Published May 1, 2026 Updated May 1, 2026 integration
# Shopify API from PHP Integration Guide

How to Get a Shopify Access Token for PHP API Integration

Integrating Shopify with your PHP applications requires proper authentication through access tokens. Whether you're building a custom app, developing inventory management systems, or creating automated workflows, understanding how to obtain and manage Shopify access tokens is essential for secure API communication. This comprehensive guide walks you through obtaining a Shopify access token specifically for PHP-based integrations in 2026.

What You Need

Illustration: What You Need

Quick Method (Recommended)

The fastest and most secure way to obtain your Shopify access token for PHP integration is using GetShopifyToken.com. This service streamlines the OAuth authentication process without requiring manual API configuration.

  1. Visit https://getshopifytoken.com in your web browser
  2. Enter your Shopify store's domain (e.g., mystore.myshopify.com)
  3. Click "Generate Token" to initiate the OAuth flow
  4. You'll be redirected to your Shopify store's admin authentication page
  5. Review the requested permissions and click "Install app"
  6. After authorization, you'll be redirected back to GetShopifyToken.com with your access token displayed
  7. Copy the access token and store it securely in your PHP application's environment variables
  8. Never commit access tokens to version control—use .env files with gitignore

This method is ideal for PHP developers who want to quickly authenticate without building OAuth infrastructure from scratch. The service handles token generation securely and provides immediate access for API requests.

Manual OAuth Method

If you prefer building the authentication flow directly into your PHP application, follow this manual OAuth implementation process. This approach gives you complete control over token management and is suitable for production applications.

Step 1: Register Your App

  1. Log in to your Shopify admin dashboard
  2. Navigate to Settings → Apps and integrations → App and integration settings
  3. Click "Create an app" button
  4. Enter your app name (e.g., "PHP Integration Tool")
  5. Choose your app type (Custom app is typical for internal tools)
  6. Click "Create app"

Step 2: Configure OAuth Settings

  1. In your app settings, locate the "Configuration" tab
  2. Under "Admin API access scopes," select the permissions your PHP app needs
  3. Set your redirect URI to your PHP callback handler (e.g., https://yourapp.com/shopify/callback.php)
  4. Save your configuration
  5. Note your API key (Client ID) and API secret (Client Secret)

Step 3: Implement OAuth Flow in PHP

Create a PHP script to handle the OAuth authorization process:

<?php
// authorize.php - Handle OAuth authorization request
session_start();

$api_key = $_ENV['SHOPIFY_API_KEY'];
$redirect_uri = 'https://yourapp.com/shopify/callback.php';
$shop = sanitize_shop_domain($_GET['shop'] ?? '');
$scope = 'read_products,write_products,read_orders,write_orders';
$nonce = bin2hex(random_bytes(16));

$_SESSION['nonce'] = $nonce;

$auth_url = "https://{$shop}/admin/oauth/authorize?" . http_build_query([
    'client_id' => $api_key,
    'redirect_uri' => $redirect_uri,
    'scope' => $scope,
    'state' => $nonce,
]);

header("Location: {$auth_url}");
exit;

function sanitize_shop_domain($shop) {
    $shop = preg_replace('/[^a-zA-Z0-9\-]/', '', $shop);
    return $shop . '.myshopify.com';
}
?>

Step 4: Handle OAuth Callback

Create a callback handler to exchange the authorization code for an access token:

<?php
// callback.php - Exchange authorization code for access token
session_start();

$api_key = $_ENV['SHOPIFY_API_KEY'];
$api_secret = $_ENV['SHOPIFY_API_SECRET'];
$shop = sanitize_shop_domain($_GET['shop'] ?? '');
$code = $_GET['code'] ?? '';
$state = $_GET['state'] ?? '';

// Verify state parameter matches
if ($state !== $_SESSION['nonce']) {
    die('Invalid state parameter. Possible CSRF attack.');
}

// Exchange authorization code for access token
$url = "https://{$shop}/admin/oauth/access_token";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([
    'client_id' => $api_key,
    'client_secret' => $api_secret,
    'code' => $code,
]));
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
curl_close($ch);

$data = json_decode($response, true);

if (isset($data['access_token'])) {
    $access_token = $data['access_token'];
    // Store securely in database or environment
    $_SESSION['shopify_access_token'] = $access_token;
    $_SESSION['shopify_shop'] = $shop;
    
    echo "Authorization successful! Token: " . substr($access_token, 0, 10) . "...";
} else {
    die("Authentication failed: " . ($data['errors'] ?? 'Unknown error'));
}

function sanitize_shop_domain($shop) {
    $shop = preg_replace('/[^a-zA-Z0-9\-]/', '', $shop);
    return $shop . '.myshopify.com';
}
?>

Connecting Your Token to PHP Applications

Illustration: Connecting Your Token to PHP Applications

Once you have your access token, integrate it into your PHP application following these best practices:

Store Token Securely

Never hardcode tokens in your source code. Use environment variables with a .env file:

SHOPIFY_ACCESS_TOKEN=shpat_1234567890abcdef1234567890abcdef
SHOPIFY_SHOP_DOMAIN=mystore.myshopify.com
SHOPIFY_API_VERSION=2024-01

Load your .env file in your PHP application using the dotenv package:

<?php
require 'vendor/autoload.php';
$dotenv = Dotenv\Dotenv::createImmutable(__DIR__);
$dotenv->load();

$access_token = $_ENV['SHOPIFY_ACCESS_TOKEN'];
$shop_domain = $_ENV['SHOPIFY_SHOP_DOMAIN'];
?>

Make API Requests

Use your token to authenticate API requests:

<?php
$access_token = $_ENV['SHOPIFY_ACCESS_TOKEN'];
$shop_domain = $_ENV['SHOPIFY_SHOP_DOMAIN'];
$api_version = $_ENV['SHOPIFY_API_VERSION'] ?? '2024-01';

$url = "https://{$shop_domain}/admin/api/{$api_version}/products.json";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'X-Shopify-Access-Token: ' . $access_token,
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code === 200) {
    $products = json_decode($response, true);
    echo "Retrieved " . count($products['products']) . " products";
} else {
    echo "API Error: HTTP {$http_code}";
}
?>

Use Official Shopify PHP Library

For cleaner code, install the official Shopify PHP library via Composer:

composer require shopify/shopify-api

Then use it in your PHP code:

<?php
use Shopify\Clients\Rest;

$access_token = $_ENV['SHOPIFY_ACCESS_TOKEN'];
$shop_domain = $_ENV['SHOPIFY_SHOP_DOMAIN'];

$client = new Rest(
    $shop_domain,
    $access_token,
    api_version: '2024-01'
);

$result = $client->get('products', [], ['limit' => 10]);
$products = $result->getDecodedBody();

foreach ($products['products'] as $product) {
    echo $product['title'] . "\n";
}
?>

Required Scopes for PHP API Integration

Select appropriate scopes based on your PHP application's functionality. Requesting unnecessary scopes violates security best practices.

Scope Purpose
read_products Read product data, collections, and inventory information
write_products Modify product details, pricing, and inventory levels
read_orders Access order history, customer information, and fulfillment status
write_orders Create orders, update order status, and manage fulfillments
read_inventory Monitor inventory levels across locations
write_inventory Adjust inventory quantities and manage stock levels
read_customers Retrieve customer profiles, emails, and purchase history
write_customers Create, update, and manage customer accounts
read_locations Access store location data and warehouse information
write_fulfillments Manage order fulfillment and tracking information
read_analytics Access store analytics and performance metrics
write_content Manage blog posts, pages, and content assets

Troubleshooting

Frequently Asked Questions

Q: How long do Shopify access tokens last?

Access tokens issued through the OAuth flow do not expire automatically. However, they can be revoked if your app is uninstalled from the store or if the store owner manually revokes permission. Store tokens securely and implement refresh logic if tokens are revoked. Monitor for 401 errors and regenerate tokens as needed.

Q: Can I use the same access token across multiple PHP applications?

Yes, a single access token can be used across multiple applications and servers as long as they all properly store and secure it. Each API request just needs to include the token in the X-Shopify-Access-Token header. However, it's considered a best practice to use separate tokens for separate applications to maintain security isolation and easier revocation if one application is compromised.

Q: What's the difference between private apps and custom apps for PHP integration?

Private apps (deprecated as of 2024) automatically generated tokens without OAuth flow. Custom apps use the modern OAuth 2.0 flow, which is more secure and is the current Shopify standard. For new PHP projects, always use custom apps with OAuth authentication. Custom apps provide better security, audit trails, and alignment with Shopify's platform requirements.

---

Get Your Shopify Access Token in 60 Seconds

Skip the manual OAuth flow. GetShopifyToken automates the entire process — just paste your credentials and get your token instantly.

Generate Token Now →