Shopify Admin API Access Token: 6-Step OAuth Setup Guide

If your Shopify integration stopped working or you’re setting up a new app, Shopify’s updated OAuth authentication system is likely the reason.

Shopify now requires developers to generate a Shopify Admin API access token using Shopify OAuth 2.0 authentication instead of older Shopify private app token methods.

To address these issues, Shopify has transitioned toward a more modern authentication model built around OAuth, improved token management, and centralized app development workflows. These updates are part of a broader initiative to strengthen platform security and standardize how third-party applications interact with Shopify stores. The new Shopify OAuth access token workflow improves API security and gives merchants better control over application permissions.

These changes directly affect how applications authenticate with Shopify, manage credentials, and access Admin APIs. Developers maintaining existing integrations must update their systems to comply with Shopify’s OAuth-based authentication model.

For a hands-on implementation example, explore our WooCommerce to Shopify access token integration guide that walks through connecting both stores with secure authentication. 

Quick Answer

Shopify now uses OAuth authentication instead of static API tokens. Developers must create apps in the Shopify Developer Dashboard and generate Admin API access tokens through OAuth authorization.

Need to generate a Shopify Admin API access token quickly? Jump directly to the 6-step Shopify OAuth setup guide below.

Key Takeaways

• Shopify has shifted from static API tokens to OAuth-based authentication. Access tokens are now generated through a structured authorization workflow instead of being copied directly from the admin dashboard.
• App development has moved to the Shopify Developer Dashboard. Developers now create and configure applications there before installing them in stores.
• Access tokens are generated through OAuth authorization. After merchant approval, the application receives an authorization code and exchanges it for a Shopify Admin API access token.
• API permissions are now scope-based. Merchants must approve the specific data access an app requests, improving transparency and security.
• Shopify has prioritized GraphQL APIs over the legacy REST Admin API. The REST Admin API is considered legacy, and new development should prioritize the GraphQL Admin API.

Why Shopify Moved to OAuth Authentication

For many years, Shopify allowed developers to create permanent Admin API tokens through private apps or custom apps inside the store’s admin dashboard. These tokens could be copied directly and used indefinitely for API requests.

From a development standpoint, this approach was extremely convenient. Developers could generate a token once, store it in an application, and continue using it without worrying about expiration or refresh cycles.

However, this simplicity created several security concerns.

Permanent tokens meant that if credentials were exposed through misconfigured servers, leaked environment files, or compromised repositories, attackers could potentially gain unrestricted access to store data. Since these tokens did not expire automatically, revoking them required manual intervention from the store owner.

As Shopify’s ecosystem expanded to include thousands of integrations interacting with merchant stores, relying on static authentication credentials became increasingly risky.

To improve platform security and align with modern API standards, Shopify transitioned toward a more controlled authentication model that emphasizes OAuth authorization, better permission management, and structured app development workflows.

These updates aim to accomplish several objectives:

• Reduce the risk of long-term credential exposure
• Encourage secure authentication workflows using OAuth
• Provide merchants with clearer visibility into app permissions
• Enable developers to manage API access more safely within their applications

By implementing these changes, Shopify brings its authentication architecture closer to how modern platforms such as Stripe, Slack, and Google Cloud handle API security.

Old Shopify Authentication	New Shopify Authentication
Static API tokens	OAuth-based authentication
Tokens copied manually	Tokens generated programmatically
Limited permission visibility	Scope-based permissions
REST-focused APIs	GraphQL-first APIs
Higher security risks	Improved API security

Major Shopify OAuth and Admin API Changes for Developers 

Shopify’s authentication changes are not a single update but a series of platform improvements that collectively reshape how developers build and maintain integrations.

Understanding these changes is essential for anyone developing Shopify apps or maintaining existing API integrations.

1. App Creation Has Moved to the Shopify Developer Dashboard

Historically, developers could create API credentials directly inside a store’s Shopify admin panel. This meant app creation and store management happened in the same interface.

The traditional workflow looked like this:

Shopify Admin
→ Apps
→ Develop Apps
→ Create App
→ Generate Admin API Token

Shopify now encourages developers to create applications through the Shopify Developer Dashboard instead of relying on older custom app workflows inside the Shopify admin.

The modern workflow typically follows this structure:

Shopify Developer Dashboard
→ Create Application
→ Configure API Scopes
→ Install the App on a Store
→ Generate OAuth Access Token

This change separates application development from store administration, providing better security, improved permission management, and centralized visibility for developers managing multiple integrations.

2. Access Tokens Are Generated Through OAuth

Another major change involves how access tokens are generated. Instead of manually copying tokens from the Shopify admin interface, applications now rely on OAuth authorization flows to obtain access credentials.

OAuth provides a structured authentication process that requires merchant approval before an application can access store data.

After merchant approval, Shopify generates a Shopify OAuth access token that applications use for authenticated Admin API requests.

The typical OAuth workflow follows these steps:

1. The application requests authorization from the store.
2. The merchant reviews and approves the requested permissions.
3. Shopify generates an authorization code.
4. The application uses the authorization code to obtain an access token from Shopify.

Once this process is completed, the application can use the generated access token to send authenticated API requests.

A typical OAuth token exchange request looks like this:

Request payload:

POST https://{shop}.myshopify.com/admin/oauth/access_token { “client_id”: “YOUR_CLIENT_ID”,  “client_secret”: “YOUR_CLIENT_SECRET”,  “code”: “AUTHORIZATION_CODE” } Response: {  “access_token”: “shpat_xxxxxxxxx”, “scope”: “read_products,write_products” }

This programmatic token generation ensures credentials are issued only after proper authorization and are tied to specific application permissions.

3. OAuth Is Now the Standard Authentication Model

Shopify strongly encourages developers to adopt OAuth-based authentication for all modern applications. OAuth provides a secure mechanism for granting controlled access to store data while giving merchants full visibility into what permissions an app requests.

During installation, merchants must explicitly approve the scopes an application requests. These scopes define what resources the app can access.

For example, an inventory management tool may request scopes such as:

read_products

write_inventory

read_orders

An app that handles customer data might request additional scopes like:

read_customers

write_customers

This permission-based model improves security because applications only receive the access they truly require.

OAuth also provides better control over app revocation. If a merchant uninstalls an app, its associated access token becomes invalid immediately, preventing further API access.

OAuth is now the standard authentication method for public Shopify apps and SaaS integrations. However, certain custom apps created directly inside Shopify Admin may still use simplified token-based authentication workflows.

4. Shopify Has Shifted Toward GraphQL APIs

Alongside authentication improvements, Shopify has prioritized the GraphQL Admin API as its primary interface, while the REST Admin API is now considered legacy. Since the Shopify REST API is now considered legacy, developers should prioritize GraphQL APIs for new integrations.

In 2024, Shopify officially labeled the REST Admin API as legacy, signaling that new development should rely on GraphQL whenever possible.

GraphQL allows developers to request multiple resources in a single query, making API interactions significantly more efficient.

A typical GraphQL endpoint looks like this:

POST /admin/api/2026-01/graphql.json

Note: Replace 2026-01 with the latest supported Shopify API version listed in Shopify’s official API versioning documentation.

Example query:

{  products(first: 5) {    edges {      node {        id        title        totalInventory      }    }  } }

Compared with REST APIs, GraphQL provides several advantages:

• Multiple resources can be fetched in a single request
• Developers retrieve only the fields they need
• API request counts are reduced
• Many new Shopify features are introduced through GraphQL first

For developers building Shopify applications today, GraphQL should be considered the primary API interface.

How to Generate a Shopify Admin API Access Token in 6 Steps 

Although Shopify no longer displays Admin API access tokens directly inside the developer dashboard, developers can still generate them using Shopify’s OAuth authentication workflow. The process involves creating an application, installing it on a store, and exchanging an authorization code for an access token.

If you prefer a visual walkthrough of the process, the following tutorial explains how developers generate an Admin API access token using Shopify’s current workflow.

The steps below summarize the same process and explain how developers typically generate an access token for a Shopify integration.

For a complete, real‑world walkthrough, explore our WooCommerce to Shopify authentication guide, where we show how to generate and use Shopify access tokens with the W2S plugin. 

Step 1: Create a Custom App in the Developer Dashboard

Start by creating a new application in your Shopify Developer Dashboard.

From your Shopify Admin:

1. Click your profile icon in the top-right corner.
2. Select Dev Dashboard.
3. Click Create App.

During setup, Shopify asks for basic configuration details such as:

• App Name – A descriptive name for the integration (for example, the name of the third-party tool you are connecting).
• App URL – The location users are redirected to after installing the app. If you do not have an onboarding flow, you may temporarily use a placeholder or local development URL.
• Embedded App option – Enable this only if your app will run inside the Shopify admin interface.

Once these details are configured, save the application to continue.

Step 2: Configure API Scopes (Permissions)

After creating the app, you must define the API scopes the application requires.

API scopes determine which parts of the Shopify store the application can access. Common examples include:

• read_products
• write_products
• read_orders
• write_orders
• read_inventory
• write_inventory

Only request the permissions required for your integration. Limiting scopes reduces security risks and ensures your application only accesses the necessary store resources.

You must also define a Redirect URL, which Shopify uses during the OAuth authentication process. This URL acts as a trusted destination where Shopify sends users after the authorization process is completed.

After configuring the scopes and redirect URL, release the new app version.

Step 3: Retrieve Your Client ID and Client Secret

Once the application is created, Shopify generates two credentials required for authentication:

• Client ID – A unique identifier used to identify your application.
• Client Secret – A confidential key used to verify the identity of your application.

These credentials are available in the Settings tab of your app in the Developer Dashboard.

Together, the Client ID and Client Secret function similarly to a username and password during the OAuth authentication process. Because the Client Secret is sensitive information, it should always be stored securely on the server and never exposed publicly.

Step 4: Install the App to Start Generating a Shopify Admin API Access Token

Before an access token can be generated, the application must be installed on the Shopify store.

In the Developer Dashboard:

1. Open your app configuration.
2. Navigate to the Installs section.
3. Click Install App.
4. Select the store where the application should be installed.

Shopify will display a permission approval screen showing all the scopes requested by the application. After the store owner approves these permissions, the app becomes authorized to access the store.

Step 5: Start the OAuth Authorization Flow

After the app is installed, the OAuth authentication process must be initiated to generate your Shopify Admin API access token.

Developers start this process by constructing an authorization URL using the store’s domain and the app’s Client ID.

Example authorization URL:

https://{shop}.myshopify.com/admin/oauth/authorize?client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URL

When this URL is opened in the browser, Shopify begins the authorization process and redirects the user to the configured redirect URL after authentication.

During this redirect, Shopify includes a temporary authorization code in the URL parameters.

Step 6: Exchange the Authorization Code for a Shopify Admin API Access Token

The authorization code received in the previous step is used to request the final Admin API access token.

To generate the token, developers send an HTTP POST request to Shopify’s OAuth endpoint:

https://{shop}.myshopify.com/admin/oauth/access_token

The request must include the following parameters:

• client_id
• client_secret
• code (authorization code received from Shopify)

Example request payload:

{  “client_id”: “YOUR_CLIENT_ID”,  “client_secret”: “YOUR_CLIENT_SECRET”,  “code”: “AUTHORIZATION_CODE” }

If the request is valid, Shopify returns the Admin API access token in the response.

Example response:

{  “access_token”: “shpat_xxxxxxxxxxxxxxxxx”,  “scope”: “write_products” }

This access token is then used to authenticate future API requests to the Shopify Admin API.

Already building a Shopify integration? Make sure your app follows Shopify’s latest OAuth authentication and GraphQL API standards before deployment.

Important Security Note

A Shopify Admin API access token provides powerful access to store data. Developers should always store tokens securely and avoid exposing them in client-side code or public repositories. If an access token becomes compromised, the associated app should be revoked immediately to prevent unauthorized API access.

Shopify API Authentication Best Practices

As Shopify strengthens its authentication model, developers working with a Shopify Admin API access token should adopt secure credential management practices when building integrations.

In our WooCommerce to Shopify Integration documentation, you can see how these best practices are applied when configuring and storing Shopify tokens for live stores. 

First, avoid embedding access tokens directly into application code. Hardcoding credentials inside source files creates serious security risks if the repository becomes exposed.

Instead, credentials should be stored in secure configuration systems such as environment variables or secret management tools.

It is also important to ensure that the client secret remains strictly on the server side. Exposing the client secret in frontend JavaScript or public repositories could allow attackers to generate unauthorized access tokens.

Applications should also maintain secure token storage mechanisms. Many teams store tokens in encrypted database fields or credential vault systems to prevent unauthorized access.

Secure Shopify Admin API authentication helps protect sensitive store and customer data from unauthorized access.

Finally, developers should always use Shopify’s versioned API endpoints when making requests. Shopify releases new API versions quarterly, and using versioned endpoints helps ensure integrations remain compatible as the platform evolves.

Common Shopify OAuth Errors and How to Fix Them 

Developers upgrading older Shopify integrations often encounter OAuth authentication issues while generating or using a Shopify Admin API access token. The following errors are among the most common Shopify OAuth problems and their recommended fixes.

Error	Cause	Solution
invalid_client	Wrong client secret	Verify Client ID and Client Secret
redirect_uri mismatch	Redirect URL does not match app settings	Update the redirect URL in Shopify Developer Dashboard
invalid_scope	Unsupported or incorrect API scopes	Use valid Shopify API scopes
invalid_request	Missing OAuth parameters	Verify all OAuth request parameters
expired authorization code	Authorization code expired or reused	Restart the OAuth flow
REST API warning	Using deprecated REST endpoints	Move to Shopify GraphQL APIs

If you are using W2S, our Sync Pro features guide explains how to handle sync issues and optimize Shopify API usage with advanced options. 

Conclusion

The Shopify Admin API access token changes introduced in recent platform updates reflect Shopify’s broader effort to modernize its developer ecosystem.

By adopting OAuth authentication, improving permission management, and transitioning toward GraphQL APIs, Shopify is creating a more secure and scalable environment for building integrations.

For developers maintaining Shopify applications, adapting to these changes is essential. Implementing OAuth correctly, securing API credentials, and gradually migrating legacy REST integrations will help ensure your applications remain compatible with Shopify’s evolving platform.

Although these updates require adjustments to existing development workflows, they ultimately provide a stronger foundation for building reliable and secure Shopify integrations. 

If you are integrating WooCommerce and Shopify, explore our W2S – WooCommerce to Shopify Sync plugin to implement these OAuth, access token, and GraphQL best practices in a production‑ready workflow. 

FAQ: