Shopify API authentication
This guide introduces the different methods of authenticating and authorizing apps with Shopify’s platform. Make sure that you understand the differences between the types of authentication and authorization schemes before you begin your development process.
Authentication vs authorizationAnchor link to section titled "Authentication vs authorization"
Authentication is the process of verifying the identity of the user or the app. To keep transactions on Shopify’s platform safe and secure, all apps connecting with Shopify APIs must authenticate when making API requests.
Authorization is the process of giving permissions to apps. Merchants can authorize Shopify apps to access data in a store. For example, an app might be authorized to access orders and product data in a store.
Types of authentication and authorization methodsAnchor link to section titled "Types of authentication and authorization methods"
The authentication or authorization methods that you app needs to use depends on the tool that you used to create your app, and the components that your app uses.
API access modesAnchor link to section titled "API access modes"
Access tokens for the Storefront APIAnchor link to section titled "Access tokens for the Storefront API"
Requests to the GraphQL Storefront API require a valid Shopify access token. You require different access tokens depending on where the request is coming from. The following are Storefront API access types and the tokens they require:
Public access: Used when querying the API from a browser or mobile app.
Authenticated access: Used when querying the API from a server or other private context, like a Hydrogen backend.
Getting started with public accessAnchor link to section titled "Getting started with public access"
Your app requires a storefront access token for public access.
Public access to the Storefront API enables your app to make requests from public contexts like a browser. With public access, capacity scales with the number of buyers based on customer IP. In most cases, this is the IP of someone browsing your site or using your mobile app. Learn more about Storefront API rate limits.
To use public access, you need to create a public access token for your app by making a request to the GraphQL Admin API's
storefrontAccessTokenCreate mutation or the REST Admin API's
StorefrontAccessToken resource. Include your storefront access token as a
X-Shopify-Storefront-Access-Token header on all queries that originate from a buyer client, such as a mobile app or browser. You only need one access token for each shop. Alternatively, you can create a custom app in the Shopify admin, and retrieve your Storefront API access token and manage access scopes from there.
Getting started with authenticated accessAnchor link to section titled "Getting started with authenticated access"
Your app requires a delegate access token for requests from a server or other private context.
Authenticated access to the Storefront API enables your app to make requests from private or authenticated contexts like an Oxygen deployment, Hydrogen backend, or other server. With authenticated access, your requests are throttled at the shop level and optionally by a forwarded IP. This is advantageous because your server needs a much larger capacity for making requests for many buyers. The app throttle scales with the Shopify platform and isn't fixed. Under high load, such as for flash sales, both the platform and the throttle scale to support more requests.
To use authenticated access, you need to create a delegate access token for your app by making a request to the GraphQL Admin API's
delegateAccessTokenCreate mutation. Include your delegate access token as a
Shopify-Storefront-Private-Token header on requests from a server. You only need one access token for a shop, unless you need to rotate the token or change the access scopes available to the token.
Optional IP headerAnchor link to section titled "Optional IP header"
It's best practice to include the
Shopify-Storefront-Buyer-IP header if you're using authenticated access for handling buyer requests. There are some cases when the API request isn't on behalf of a buyer, such as during a static site build, where the header isn't needed.
Shopify-Storefront-Buyer-IP header enables the platform to impose IP-level rate limiting as an added protection against a single user, such as a bot, consuming a high level of capacity.