Table of Contents
Shopify’s developer ecosystem has undergone several structural changes over the past few years, particularly in the way applications authenticate with the platform. Earlier integrations relied heavily on permanent API tokens generated directly from the Shopify admin interface. While this method made integrations easier to set up, it also introduced long-term security risks.
To address these issues, Shopify has transitioned toward a more modern authentication model built around OAuth, improved token management, and centralized app development workflows. These updates are part of a broader initiative to strengthen platform security and standardize how third-party applications interact with Shopify stores.
For developers maintaining integrations, these changes directly affect how applications authenticate with Shopify, manage credentials, and access Admin APIs. Systems that rely on Shopify APIs, including automation tools, inventory synchronization platforms, CRM integrations, and custom store applications, must update their integrations to comply with Shopify’s OAuth-based authentication model.
In this guide, we will explore the key Shopify access token changes introduced through recent platform updates, explain why Shopify implemented them, and outline how developers should adjust their integration workflows.
Key Takeaways
- Shopify has shifted from static API tokens to OAuth-based authentication. Access tokens are now generated through a structured authorization workflow instead of being copied directly from the admin dashboard.
- App development has moved to the Shopify Developer Dashboard. Developers now create and configure applications there before installing them in stores.
- Access tokens are generated through OAuth authorization. After merchant approval, the application receives an authorization code and exchanges it for an Admin API access token.
- API permissions are now scope-based. Merchants must approve the specific data access an app requests, improving transparency and security.
- Shopify has prioritized GraphQL APIs over the legacy REST Admin API. The REST Admin API is considered legacy, and new development should prioritize the GraphQL Admin API.
Why Shopify Updated Access Token Authentication
For many years, Shopify allowed developers to create permanent Admin API tokens through private apps or custom apps inside the store’s admin dashboard. These tokens could be copied directly and used indefinitely for API requests.
From a development standpoint, this approach was extremely convenient. Developers could generate a token once, store it in an application, and continue using it without worrying about expiration or refresh cycles.
However, this simplicity created several security concerns.
Permanent tokens meant that if credentials were exposed, through misconfigured servers, leaked environment files, or compromised repositories, attackers could potentially gain unrestricted access to store data. Since these tokens did not expire automatically, revoking them required manual intervention from the store owner.
As Shopify’s ecosystem expanded to include thousands of integrations interacting with merchant stores, relying on static authentication credentials became increasingly risky.
To improve platform security and align with modern API standards, Shopify transitioned toward a more controlled authentication model that emphasizes OAuth authorization, better permission management, and structured app development workflows.
These updates aim to accomplish several objectives:
- Reduce the risk of long-term credential exposure
- Encourage secure authentication workflows using OAuth
- Provide merchants with clearer visibility into app permissions
- Enable developers to manage API access more safely within their applications
By implementing these changes, Shopify brings its authentication architecture closer to how modern platforms such as Stripe, Slack, and Google Cloud handle API security.
Major Shopify Access Token Changes Developers Should Know
Shopify’s authentication changes are not a single update but a series of platform improvements that collectively reshape how developers build and maintain integrations.
Understanding these changes is essential for anyone developing Shopify apps or maintaining existing API integrations.
1. App Creation Has Moved to the Shopify Developer Dashboard
Historically, developers could create API credentials directly inside a store’s Shopify admin panel. This meant app creation and store management happened in the same interface.
The traditional workflow looked like this:
Shopify Admin
→ Apps
→ Develop Apps
→ Create App
→ Generate Admin API Token
However, beginning January 1, 2026, Shopify discontinued the creation of new legacy custom apps directly from the Shopify admin. Developers must now create applications through the Shopify Developer Dashboard, where apps are configured before being installed on stores.
The modern workflow typically follows this structure:
Shopify Developer Dashboard
→ Create Application
→ Configure API Scopes
→ Install the App on a Store
→ Generate OAuth Access Token
This change separates application development from store administration, providing better security, improved permission management, and centralized visibility for developers managing multiple integrations.
2. Access Tokens Are Generated Through OAuth
Another major change involves how access tokens are generated. Instead of manually copying tokens from the Shopify admin interface, applications now rely on OAuth authorization flows to obtain access credentials.
OAuth provides a structured authentication process that requires merchant approval before an application can access store data.
The typical OAuth workflow follows these steps:
- The application requests authorization from the store.
- The merchant reviews and approves the requested permissions.
- Shopify generates an authorization code.
- The application uses the authorization code to obtain an access token from Shopify.
Once this process is completed, the application can use the generated access token to send authenticated API requests.
A typical OAuth token exchange request looks like this:
POST https://{shop}.myshopify.com/admin/oauth/access_token
Request payload:
{
“client_id”: “YOUR_CLIENT_ID”,
“client_secret”: “YOUR_CLIENT_SECRET”,
“code”: “AUTHORIZATION_CODE”
}
Response:
{
“access_token”: “shpat_xxxxxxxxx”,
“scope”: “read_products,write_products”
}
This programmatic token generation ensures credentials are issued only after proper authorization and are tied to specific application permissions.
3. OAuth Is Now the Standard Authentication Model
Shopify strongly encourages developers to adopt OAuth-based authentication for all modern applications. OAuth provides a secure mechanism for granting controlled access to store data while giving merchants full visibility into what permissions an app requests.
During installation, merchants must explicitly approve the scopes an application requests. These scopes define what resources the app can access.
For example, an inventory management tool may request scopes such as:
read_products
write_inventory
read_orders
An app that handles customer data might request additional scopes like:
read_customers
write_customers
This permission-based model improves security because applications only receive the access they truly require.
OAuth also provides better control over app revocation. If a merchant uninstalls an app, its associated access token becomes invalid immediately, preventing further API access.
For developers building embedded apps or SaaS integrations, implementing OAuth is no longer optional, it is the standard method for authenticating Shopify API requests.
4. Shopify Has Shifted Toward GraphQL APIs
Alongside authentication improvements, Shopify has prioritized the GraphQL Admin API as its primary interface, while the REST Admin API is now considered legacy.
In 2024, Shopify officially labeled the REST Admin API as legacy, signaling that new development should rely on GraphQL whenever possible.
GraphQL allows developers to request multiple resources in a single query, making API interactions significantly more efficient.
A typical GraphQL endpoint looks like this:
POST /admin/api/2026-01/graphql.json
Example query:
{
products(first: 5) {
edges {
node {
id
title
totalInventory
}
}
}
}
Compared with REST APIs, GraphQL provides several advantages:
- Multiple resources can be fetched in a single request
- Developers retrieve only the fields they need
- API request counts are reduced
- Many new Shopify features are introduced through GraphQL first
For developers building Shopify applications today, GraphQL should be considered the primary API interface.
How to Generate a Shopify Admin API Access Token (Step-by-Step)
Although Shopify no longer displays Admin API access tokens directly inside the developer dashboard, developers can still generate them using Shopify’s OAuth authentication workflow. The process involves creating an application, installing it on a store, and exchanging an authorization code for an access token.
If you prefer a visual walkthrough of the process, the following tutorial explains how developers generate an Admin API access token using Shopify’s current workflow.
The steps below summarize the same process and explain how developers typically generate an access token for a Shopify integration.
Step 1: Create a Custom App in the Developer Dashboard
Start by creating a new application in your Shopify Developer Dashboard.
From your Shopify Admin:
- Click your profile icon in the top-right corner.
- Select Dev Dashboard.
- Click Create App.
During setup, Shopify asks for basic configuration details such as:
- App Name – A descriptive name for the integration (for example, the name of the third-party tool you are connecting).
- App URL – The location users are redirected to after installing the app. If you do not have an onboarding flow, you may temporarily use a placeholder or local development URL.
- Embedded App option – Enable this only if your app will run inside the Shopify admin interface.
Once these details are configured, save the application to continue.
Step 2: Configure API Scopes (Permissions)
After creating the app, you must define the API scopes the application requires.
API scopes determine which parts of the Shopify store the application can access. Common examples include:
- read_products
- write_products
- read_orders
- write_orders
- read_inventory
- write_inventory
Only request the permissions required for your integration. Limiting scopes reduces security risks and ensures your application only accesses the necessary store resources.
You must also define a Redirect URL, which Shopify uses during the OAuth authentication process. This URL acts as a trusted destination where Shopify sends users after the authorization process is completed.
After configuring the scopes and redirect URL, release the new app version.
Step 3: Retrieve Your Client ID and Client Secret
Once the application is created, Shopify generates two credentials required for authentication:
- Client ID – A unique identifier used to identify your application.
- Client Secret – A confidential key used to verify the identity of your application.
These credentials are available in the Settings tab of your app in the Developer Dashboard.
Together, the Client ID and Client Secret function similarly to a username and password during the OAuth authentication process. Because the Client Secret is sensitive information, it should always be stored securely on the server and never exposed publicly.
Step 4: Install the App on the Store
Before an access token can be generated, the application must be installed on the Shopify store.
In the Developer Dashboard:
- Open your app configuration.
- Navigate to the Installs section.
- Click Install App.
- Select the store where the application should be installed.
Shopify will display a permission approval screen showing all the scopes requested by the application. After the store owner approves these permissions, the app becomes authorized to access the store.
Step 5: Start the OAuth Authorization Flow
After the app is installed, the OAuth authentication process must be initiated.
Developers start this process by constructing an authorization URL using the store’s domain and the app’s Client ID.
Example authorization URL:
When this URL is opened in the browser, Shopify begins the authorization process and redirects the user to the configured redirect URL after authentication.
During this redirect, Shopify includes a temporary authorization code in the URL parameters.
Step 6: Exchange the Authorization Code for an Access Token
The authorization code received in the previous step is used to request the final Admin API access token.
To generate the token, developers send an HTTP POST request to Shopify’s OAuth endpoint:
https://{shop}.myshopify.com/admin/oauth/access_token
The request must include the following parameters:
- client_id
- client_secret
- code (authorization code received from Shopify)
Example request payload:
{
“client_id”: “YOUR_CLIENT_ID”,
“client_secret”: “YOUR_CLIENT_SECRET”,
“code”: “AUTHORIZATION_CODE”
}
If the request is valid, Shopify returns the Admin API access token in the response.
Example response:
{
“access_token”: “shpat_xxxxxxxxxxxxxxxxx”,
“scope”: “write_products”
}
This access token is then used to authenticate future API requests to the Shopify Admin API.
Important Security Note
An Admin API access token provides powerful access to store data. Developers should always store tokens securely and avoid exposing them in client-side code or public repositories. If an access token becomes compromised, the associated app should be revoked immediately to prevent unauthorized API access.
Best Practices for Managing Shopify API Authentication
As Shopify strengthens its authentication model, developers should adopt secure credential management practices when building integrations.
First, avoid embedding access tokens directly into application code. Hardcoding credentials inside source files creates serious security risks if the repository becomes exposed.
Instead, credentials should be stored in secure configuration systems such as environment variables or secret management tools.
It is also important to ensure that the client secret remains strictly on the server side. Exposing the client secret in frontend JavaScript or public repositories could allow attackers to generate unauthorized access tokens.
Applications should also maintain secure token storage mechanisms. Many teams store tokens in encrypted database fields or credential vault systems to prevent unauthorized access.
Finally, developers should always use Shopify’s versioned API endpoints when making requests. Shopify releases new API versions quarterly, and using versioned endpoints helps ensure integrations remain compatible as the platform evolves.
Common Issues Developers Encounter After Authentication Updates
Developers upgrading older Shopify integrations often encounter several issues related to authentication changes.
One common problem is confusion about where access tokens are generated. Developers accustomed to copying tokens from the Shopify admin interface may initially struggle with OAuth-based authentication workflows.
Another frequent issue occurs when older integrations stop working after Shopify API updates. This can happen when an application uses outdated API versions or relies on deprecated authentication patterns.
REST API usage can also generate warnings or errors in newer Shopify environments. Since Shopify now prioritizes GraphQL APIs, developers maintaining older REST integrations should consider gradually migrating their API calls.
OAuth implementation errors can also cause authentication failures. Incorrect redirect URLs, invalid signature verification, or reusing authorization codes can all break the token exchange process.
Understanding these potential challenges can help developers troubleshoot authentication issues more efficiently.
FAQ: Shopify Access Token Changes
1. What changed in Shopify access tokens?
Shopify has strengthened its authentication model by encouraging OAuth-based authentication, improved credential management practices, and stricter API security policies.
2. Are private apps still supported?
Existing private or custom apps continue to function, but Shopify now requires developers to create new applications through the Developer Dashboard using OAuth authentication.
3. Do Shopify access tokens expire?
Many Shopify access tokens remain valid until the app is uninstalled, but developers should design applications with secure token storage and regeneration mechanisms.
4. Should developers migrate from REST to GraphQL?
Yes. Shopify’s long-term API strategy prioritizes the GraphQL Admin API, and many new platform features are introduced through GraphQL.
Conclusion
The Shopify access token changes introduced in recent platform updates reflect Shopify’s broader effort to modernize its developer ecosystem.
By adopting OAuth authentication, improving permission management, and transitioning toward GraphQL APIs, Shopify is creating a more secure and scalable environment for building integrations.
For developers maintaining Shopify applications, adapting to these changes is essential. Implementing OAuth correctly, securing API credentials, and gradually migrating legacy REST integrations will help ensure your applications remain compatible with Shopify’s evolving platform.
Although these updates require adjustments to existing development workflows, they ultimately provide a stronger foundation for building reliable and secure Shopify integrations.
