Shopify Requires Expiring Offline Access Tokens for New Public Apps in 2026

What Changed

Shopify announced a new security requirement effective April 1, 2026: all newly created public apps that access the Admin API must use expiring offline access tokens instead of indefinite ones. This change applies only to public apps created on or after the April 1 deadline. Existing public apps, custom apps, and merchant-created apps are not affected by this requirement.

Why This Matters

Expiring offline access tokens significantly enhance merchant data protection by limiting the window of vulnerability if a token is compromised. Rather than tokens remaining valid indefinitely, they now have a defined lifespan, forcing developers to implement token refresh mechanisms and maintain better security practices. This aligns with modern OAuth best practices and reduces the risk of unauthorized long-term access to merchant data across Shopify stores.

What You Should Do

Review your public app's authentication architecture and plan implementation of token expiration handling before April 1, 2026
Update your app's code to request expiring offline access tokens and implement automatic token refresh logic
Test your token refresh flow thoroughly to ensure seamless merchant experiences without service interruptions
If you haven't yet created your public app, plan to do so before April 1 to avoid the new requirement, or adopt expiring tokens proactively for better security

How GetShopifyToken Helps

GetShopifyToken simplifies secure token management for Shopify developers by providing robust handling of both standard and expiring offline access tokens. Our platform helps you implement token refresh workflows efficiently, ensuring your apps remain compliant with Shopify's evolving security standards while maintaining reliable merchant access.

← More Shopify Updates