Experienced E-commerce Agency for Magento/ Adobe Commerce/ Shopify/ Shopware Development

How to Create Shopify API Access Token: A Complete Guide

Shopify’s robust API is the backbone for countless e-commerce innovations, offering a gateway to a world of possibilities for online businesses. At the heart of this access lies the Shopify API access token, a digital key that opens the door to data and functionality.

But how can you create your own Shopify API access token? What are the key differences between private and public apps? How can you use this knowledge to supercharge your e-commerce endeavors?

In this guide, we’ll provide a step-by-step walkthrough on obtaining your Shopify API access token and answer these burning questions. Let’s dive in!

Table of Contents

What is a Shopify API Access Token?

A Shopify API Access Token is a security credential that allows an application to authenticate itself when making requests to the Shopify API (Application Programming Interface). The Shopify API is a set of web-based protocols and utilities designed to enable developers to programmatically interact with and manipulate data on a Shopify store programmatically.

What is a Shopify API access token?

The purpose of the access token is to establish the application’s identity and grant it permission to access a specific Shopify store’s data and perform actions on behalf of the store owner. Access tokens are used for authentication and authorization, ensuring only authorized applications can access and modify the store’s information.

Role of Shopify API Access Token

The Shopify API Access Token is crucial in interacting with applications (such as web applications, mobile apps, or integrations) and the Shopify platform. Its primary roles include:

  • Authentication: The access token serves as a form of authentication, verifying the application’s identity and making requests to the Shopify API. It ensures that the API requests are coming from a legitimate source.
  • Authorization: Access tokens specify the level of access or permissions granted to the application. Different access tokens can have different permissions, depending on what the application needs to do. Permissions are associated with specific actions and data, allowing granular control over what the application can access and modify.
  • Secure communication: When an application includes an access token in its API requests, it establishes a secure and trusted communication channel with the Shopify platform. This secure channel prevents unauthorized access and data breaches.
  • Data retrieval: Access tokens enable applications to retrieve data from a Shopify store, such as customer information, product details, orders, etc. The scope of data that can be accessed depends on the permissions associated with the token.
  • Data modification: Applications can use access tokens to modify data on a Shopify store. This includes creating new products, updating inventory levels, processing orders, and more. Again, the extent of data modification is determined by the granted permissions.
  • User context: In cases where a store owner or user interacts with an application (e.g., installing a public app), the access token grants the application the authority to actions on behalf of the user. This is essential for personalized and user-specific interactions.
  • Security: Access tokens are typically time-limited and can be revoked by the store owner if necessary. This adds a layer of security, as access can be withdrawn in the event of suspicious activity or if the application is no longer trusted.

Shopify API Access Token adds layer of security

  • Rate limiting: Access tokens can be subject to rate limiting, which controls the number of API requests an application can make within a certain time frame. Rate limiting helps ensure fair usage of Shopify’s resources and maintains system stability.

Types of Shopify Apps

Shopify apps can be categorized into two main types: public apps and custom apps. These categories serve different purposes and cater to different needs of both merchants and developers.

Public Apps

Public apps are third-party applications developed by independent developers or companies and available for all Shopify merchants to install and use. These apps are listed on the Shopify App Store and can be discovered by any merchant looking to extend the functionality of their online store. 

Public apps offer many features and integrations, including marketing tools, inventory management, customer service, and more. Some common examples of public apps include Oberlo, Mailchimp, and SEO-related apps. Exploring our Shopify integration services can provide additional customization and functionality beyond what’s available in the App Store.

Custom Apps

Custom apps, also known as private or custom-built apps, are developed specifically for a single Shopify store or a small group of stores. These apps are not listed on the Shopify App Store and are created to address the unique or specialized requirements of a merchant. 

Shopify custom apps

Custom apps are typically developed by Shopify developers or agencies the merchant hires.

Key Differences Between Shopify Public Apps and Custom Apps

Shopify public and custom apps are two distinct types of applications that serve different purposes and have several key differences. Here are the key differences between them:

  Public Apps Custom Apps
Availability and Access Public apps are available to all Shopify merchants. They are listed on the Shopify App Store, allowing merchants to discover, install, and use them. Custom apps are developed for specific individual merchants or a limited group of merchants. They are not listed on the Shopify App Store and are designed to address unique, specialized needs.
Development and Ownership Independent third-party developers or companies typically develop public apps. They are owned and maintained by the developers, who may offer support and updates to many users. Custom apps are developed specifically for one merchant or a small group of merchants. They are usually created by Shopify developers or agencies hired by the merchant. The merchant retains ownership and control over the custom app.
Purpose and Functionality Public apps offer a wide range of features and functionality designed to enhance the capabilities of a Shopify store. They cover various aspects such as marketing, inventory management, customer service, etc. Custom apps are built to meet a single merchant’s unique and specific needs. They are highly tailored and can provide custom solutions, integrations, and workflows unavailable through public apps.
Listing and Discovery Public apps are listed on the Shopify App Store, making them easily discoverable by merchants. Users can review and rate them, helping merchants make informed choices. Custom apps do not appear in the Shopify App Store and remain hidden by other merchants. They are typically developed in collaboration with the specific merchant who needs them.
Pricing and Billing Public apps offer various pricing plans, including free trials, freemium models, and paid subscriptions. Merchants pay the developer or company directly for the chosen plan. Custom apps may not follow the standard pricing models of public apps. Pricing for custom apps is negotiated between the merchant and the developer or agency responsible for building the app.
Support and Updates Developers of public apps typically provide ongoing support, bug fixes, and updates to their apps. Merchants can reach out to the developer’s support team for assistance. Support and maintenance for custom apps are usually arranged between the merchant and the developer or agency. The level of support and updates can be customized to the merchant’s needs.

How to Get Shopify API Access Token for Custom Apps

To get a Shopify API access token for a custom app, you’ll need to follow a series of steps outlined by Shopify. The access token is required for your app to interact with the Shopify API and perform actions on behalf of a Shopify store. 

Here’s a step-by-step guide on how to obtain an API access token for your custom app:

1. Create a Shopify Partner Account (If You Don’t Have One)

Create a Shopify Partner account

If you don’t already have a Shopify Partner account, you’ll need to create one. This account will enable you to both create and oversee your custom apps.

2. Create a New Custom App in the Shopify Partner Dashboard

Create a public app in Shopify Partner Dashboard

  • Log in to your Shopify Partner account.
  • Go to the Apps section in the Partner Dashboard.
  • Press the Create app button to start creating a new custom app.

3. Configure Your Custom App

Fill out the required information about your app, including its name, developer name, and app URL.

Specify the app’s scopes, determining the permissions it has to access store data. Choose the necessary scopes based on the functionality of your app.

4. Generate API Credentials

After configuring your app, you’ll receive API credentials, including the API Key and API Secret Key. Keep these credentials secure.

5. Install the Custom App on a Shopify Store

You’ll need to install your custom app on a Shopify store to obtain an access token. You can do this by visiting the Shopify store’s admin and, going to the Apps section, then clicking Manage private apps.

6. Create a Private App

Click the Create private app button to create a private app associated with your custom app.

Fill out the required information for the private app, including the permissions (scopes) it needs and the store it’s associated with.

7. Generate an Access Token

Once the private app is created, you’ll receive an access token. Utilize this access token to verify your custom app’s identity when making API requests to the associated Shopify store.

8. Store and Secure the Access Token

Safeguard the access token, as it’s a sensitive piece of information. Do not share it publicly or hardcode it into your app’s source code. Use secure methods for storage and retrieval.

9. Use the Access Token in Your Custom App

Authenticate API requests to the Shopify store within your custom app’s code by incorporating the access token contained in the Authorization header of your HTTP requests.

10. Test and Monitor Your Custom App

Test your custom app thoroughly to ensure it functions as expected. Monitor its usage and consider implementing error handling and security best practices.

How to Get Shopify API Access Token for Public Apps

To obtain a Shopify API access token for a public app, you need to go through the OAuth 2.0 authentication process. Here are the steps to get an access token for a public Shopify app:

1. Create a Public App in Shopify Partner Dashboard

  • Log in to your Shopify Partner account.
  • From the Partner Dashboard, click on Apps.
  • Click the Create app button to create a new public app.

2. Configure the App Details

Fill out the required information for your public app, including the App name, App URL, Redirection URL, and other details.

Configure the App Details

In the App setup section, specify your app’s scopes (permissions) that your app requires. Be specific about the data and actions your app needs access to.

3. Save the App

After configuring the app details and permissions, click the Create app button to create your public app.

4. Retrieve API Credentials

Retrieve API credentials

Once your app is created, you’ll be provided with the following API credentials:

  • API Key: This is your app’s client ID.
  • API Secret Key: This is your app’s client secret.


5. Initiate OAuth 2.0 Authentication

To obtain an access token, you need to initiate the OAuth 2.0 authentication flow by redirecting the merchant to Shopify’s authorization URL. This URL should look like this:


Replace `{shop}` with the merchant’s shop domain, `{api_key}` with your app’s API Key, `{scopes}` with a comma-separated list of the scopes you require, `{redirect_uri}` with your app’s redirection URL, and `{state}` with a random value for security.

6. User Authentication

The merchant will be prompted to log in to their Shopify store and authorize your app to access the requested scopes.

7. Exchange Authorization Code for Access Token

After the merchant authorizes your app, they will be redirected to your app’s redirect_uri containing an authorization code as a query parameter.

Your app must then make a POST request to Shopify’s token endpoint to exchange the authorization code for an access token. Here’s an example using cURL:

curl -X POST "https://{shop}.myshopify.com/admin/oauth/access_token" \
-d "client_id={api_key}" \ 
-d "client_secret={api_secret}" \   
-d "code={authorization_code}"

Replace `{shop}`, `{api_key}`, `{api_secret}`, and `{authorization_code}` as described earlier in the private app section.

8. Receive the Access Token

If the request is successful, Shopify will respond with a JSON object containing an `access_token`. This is the token you’ll use to authenticate your API requests on behalf of the authorized merchant.

"access_token": "your-access-token"

Shopify API Access Token – FAQs

1. Can I use the same API Access Token for multiple Shopify stores?

No, API access tokens are typically specific to a single Shopify store. If you want to access multiple stores, you’ll need separate access tokens for each store.

2. How long is a Shopify API Access Token valid?

Shopify access tokens have a limited lifespan. The duration may vary depending on how they were obtained. For example, tokens obtained through OAuth 2.0 may have longer expiration periods (usually 1 hour) and may be refreshable, while private app tokens typically do not expire.

3. Can I refresh an expired Shopify API Access Token?

If you’re using OAuth 2.0 for public apps, you can often refresh an expired access token using a refresh token provided during the initial authentication process. Private app tokens do not expire in the same way, so they do not need refreshing.

4. How should I store my Shopify API Access Token securely?

It’s crucial to store your access token securely. You should avoid hardcoding it in your code and consider using environment variables or a secure configuration management system. Use best practices for securing your server or application where the token is stored.

5. What permissions do I need to request when obtaining a Shopify API Access Token?

The permissions you request depend on your app’s functionality. You should request only the scopes (permissions) that your app requires to perform its intended tasks. Requesting excessive permissions can lead to a more complex approval process for public apps.

6. Can I revoke a Shopify API Access Token?

Yes, Shopify store owners can revoke access to an app at any time. They can do this from their Shopify admin panel by going to the “Apps” section and revoking the app’s access.

Read more: Shopify vs Woocommerce vs Magento: What Works Best for Your Online Business?


Whether you’re a developer shaping cutting-edge solutions or a business owner streamlining your operations, this access token is your key to unlocking Shopify’s full potential.

With your Shopify API access token in hand, you’re ready to explore new horizons for your online business. Your e-commerce adventure begins now, and Shopify’s API is your trusted companion for the ride.

Image Description
A data-driven marketing leader with over 10 years of experience in the ecommerce industry. Summer leverages her deep understanding of customer behavior and market trends to develop strategic marketing campaigns that drive brand awareness, customer acquisition, and ultimately, sales growth for our company.
Website Support
& Maintenance Services

Make sure your store is not only in good shape but also thriving with a professional team yet at an affordable price.

Get Started
mageplaza services
    • insights

    People also searched for


    Stay in the know

    Get special offers on the latest news from Mageplaza.

    Earn $10 in reward now!

    Earn $10 in reward now!

    go up