You can create a custom app for a store directly in the Shopify admin. To authenticate an admin-created custom app, you or the app user needs to install the app from the Shopify admin to generate API credentials and the necessary API access tokens. > Note: > This guide applies only to custom apps that were created in the Shopify admin. > If you created a custom storefront with the Headless channel in the Shopify admin, then Shopify creates public and private access tokens for you. For more information, refer to [Getting started with the Storefront API](/docs/storefronts/headless/building-with-the-storefront-api/getting-started). > If you created a custom app in the Partner Dashboard or with Shopify CLI, refer to [About token acquisition](/docs/apps/build/authentication-authorization/access-tokens/). ## Requirements - You or the app user you're working with has created a Shopify store. - If you have a staff or collaborator account on a user's store, then make sure that the user gives you the [relevant permissions](#changing-api-scopes) to create a custom app and assign API scopes. - The different [ways that you can distribute your app](/docs/apps/launch/distribution/select-distribution-method). - You're familiar with the [different methods of authenticating and authorizing apps](/docs/apps/build/authentication-authorization) with Shopify’s platform. ## Step 1: Create and install the app You or the user can create and install a custom app in the Shopify admin by following the [Custom apps documentation](https://help.shopify.com/manual/apps/custom-apps) on the Shopify Help Center. ## Step 2: Make authenticated requests A custom app can make authenticated requests to the GraphQL Admin API using the API access tokens that are generated when the app is installed on the store. The following example shows how to retrieve a list of products using the [GraphQL Admin API](/docs/api/admin-graphql). <p> <div class="react-code-block" data-preset="terminal"> <div class="react-code-block-preload ThemeMode-dim"> <div class="react-code-block-preload-bar "></div> <div class="react-code-block-preload-placeholder-container"> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> <div class="react-code-block-preload-code-container"> <div class="react-code-block-preload-codeline-number"></div> <div class="react-code-block-preload-codeline"></div> </div> </div> </div> <script data-option="title" data-value="Terminal"></script> <script type="text/plain" data-language="curl" data-title="GraphQL"> curl -X POST \ https://{shop}.myshopify.com/admin/api/2025-01/graphql.json \ -H 'Content-Type: application/json' \ -H 'X-Shopify-Access-Token: {access_token}' \ -d '{ "query": "query { products(first: 5) { edges { node { id handle } } pageInfo { hasNextPage } } }" }' </script> </div> </p> ## Rotating API credentials or generating new access tokens for admin-created apps You can't rotate API credentials for custom apps created in the Shopify admin. You need to delete the app and [create a new custom app](https://shopify.dev/docs/api/shopify-app-remix/v3/guide-custom-apps) which will have new API credentials. To create new [access tokens](/docs/apps/build/authentication-authorization/access-tokens/generate-app-access-tokens-admin) for a custom app that was created in the Shopify admin, you need to [uninstall and reinstall](https://help.shopify.com/manual/apps/custom-apps) your app. > Caution: > Your app's requests and webhooks will be disrupted until you update your app's code with the new API credentials or access token. If you want to rotate access tokens for a custom storefront that you build with the Headless channel, refer to the documentation on [rotating private access tokens in the Shopify admin](/docs/storefronts/headless/building-with-the-storefront-api/manage-headless-channels#rotate-private-access-tokens). ## Changing API scopes Anyone with a staff or collaborator account on a store can change what store resources an admin-created custom app can access, but only if they have all the following permissions: - the **Manage and install apps and channels** permission and the **Develop apps** permission - the relevant permissions for the respective store resource For example, if a staff or collaborator account has the **View or manage products, variants, and collections** permission for the store, then they can only change API scopes related to the store's products, variants, and collections. The store owner can [change the permissions for a staff or collaborator account](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions) in the Shopify admin. ### Permissions required to assign scopes to a custom app The following table shows what store permissions a staff account or collaborator account needs to assign [Admin API access scopes](/docs/api/usage/access-scopes) to an admin-created custom app. In all cases, the account must also have the **Develop apps** permission. <table> <thead> <tr> <th>Admin API scope name</th> <th>Permissions required for the staff or collaborator account</th> </tr> </thead> <tbody> <tr> <td><code>read_analytics</code></td> <td>View store metrics</td> </tr> <tr> <td><code>read_assigned_fulfillment_orders</code>, <code>write_assigned_fulfillment_orders</code></td> <td>View or manage fulfillment orders</td> </tr> <tr> <td><code>read_customer_merge</code>, <code>write_customer_merge</code></td> <td>View or manage customer profile merges</td> </tr> <tr> <td><code>read_customers</code>, <code>write_customers</code></td> <td>View or manage customers, customer addresses, order history, and customer groups</td> </tr> <tr> <td><code>read_discounts</code>, <code>write_discounts</code></td> <td>View or manage automatic discounts and discount codes</td> </tr> <tr> <td><code>read_draft_orders</code>, <code>write_draft_orders</code></td> <td>View or manage orders created by app users on behalf of customers</td> </tr> <tr> <td><code>read_files</code>, <code>write_files</code></td> <td>View or manage files</td> </tr> <tr> <td><code>read_fulfillments</code>, <code>write_fulfillments</code></td> <td>View or manage fulfillment services</td> </tr> <tr> <td><code>read_gdpr_data_request</code></td> <td>View GDPR data requests</td> </tr> <tr> <td><code>read_gift_cards</code>, <code>write_gift_cards</code></td> <td>View or manage gift cards (Available to Plus merchants only)</td> </tr> <tr> <td><code>read_inventory</code>, <code>write_inventory</code></td> <td>View or manage inventory across multiple locations</td> </tr> <tr> <td><code>read_legal_policies</code>, <code>write_legal_policies</code></td> <td>View or manage a shop’s legal policies</td> </tr> <tr> <td><code>read_locations</code></td> <td>View the geographic location of stores, headquarters, and warehouses</td> </tr> <tr> <td><code>read_marketing_events</code>, <code>write_marketing_events</code></td> <td>View or manage marketing events and engagement data</td> </tr> <tr> <td><code>read_merchant_managed_fulfillment_orders</code>, <code>write_merchant_managed_fulfillment_orders</code></td> <td>View or manage fulfilment orders assigned to merchant-managed locations</td> </tr> <tr> <td><code>read_metaobject_definitions</code>, <code>write_metaobject_definitions</code></td> <td>View or manage metaobject definitions</td> </tr> <tr> <td><code>read_metaobjects</code>, <code>write_metaobjects</code></td> <td>View or manage metaobject entries</td> </tr> <tr> <td><code>read_online_store_navigation</code></td> <td>View menus for display on the storefront</td> </tr> <tr> <td><code>read_online_store_pages</code>, <code>write_online_store_pages</code></td> <td>View or manage Online Store pages</td> </tr> <tr> <td><code>read_order_edits</code>, <code>write_order_edits</code></td> <td>View or manage edits to orders</td> </tr> <tr> <td><code>read_orders</code>, <code>write_orders</code>, <code>read_all_orders</code></td> <td>View or manage orders, transactions, fulfillments, and abandoned checkouts from the last 60 days, or View all past and future orders</td> </tr> <tr> <td><code>read_price_rules</code>, <code>write_price_rules</code></td> <td>View or manage conditional discounts</td> </tr> <tr> <td><code>read_products</code>, <code>write_products</code></td> <td>View or manage products, variants, and collections</td> </tr> <tr> <td><code>read_product_listings</code>, <code>write_product_listings</code></td> <td>View or manage product or collection listings</td> </tr> <tr> <td><code>read_reports</code>, <code>write_reports</code></td> <td>View or manage reports on the Reports page in the Shopify admin</td> </tr> <tr> <td><code>read_resource_feedbacks</code>, <code>write_resource_feedbacks</code></td> <td>View or manage the status of shops and resources</td> </tr> <tr> <td><code>read_script_tags</code>, <code>write_script_tags</code></td> <td>View or manage the JavaScript code in storefront or orders status pages</td> </tr> <tr> <td><code>read_shipping</code>, <code>write_shipping</code></td> <td>View or manage shipping carriers, countries, and provinces</td> </tr> <tr> <td><code>read_shopify_payments_accounts</code></td> <td>View Shopify Payments accounts</td> </tr> <tr> <td><code>read_shopify_payments_bank_accounts</code></td> <td>View bank accounts that can receive Shopify Payment payouts</td> </tr> <tr> <td><code>read_shopify_payments_disputes</code></td> <td>View Shopify Payment disputes raised by buyers</td> </tr> <tr> <td><code>read_shopify_payments_payouts</code></td> <td>View Shopify Payments payouts and the account’s current balance</td> </tr> <tr> <td><code>read_content</code>, <code>write_content</code></td> <td>View or manage articles, blogs, comments, pages, and redirects</td> </tr> <tr> <td><code>read_themes</code>, <code>write_themes</code></td> <td>View or manage theme templates and assets</td> </tr> <tr> <td><code>read_third_party_fulfillment_orders</code>, <code>write_third_party_fulfillment_orders</code></td> <td>View or manage fulfillment orders assigned to a location managed by any fulfillment service</td> </tr> <tr> <td><code>read_translations</code>, <code>write_translations</code></td> <td>View or manage content that can be translated</td> </tr> </tbody> </table> ## Next steps - Learn how to [configure a webhook](/docs/apps/build/webhooks/subscribe) for your app and [manage webhooks for different API versions](/docs/apps/build/webhooks/subscribe/use-newer-api-version). - Explore the [Webhooks references](/docs/api/webhooks) and [GraphQL Admin API](/docs/api/admin-graphql) references.