Rotate or revoke client credentials
Client credentials should be changed regularly. Employees leave, client credentials can be accidentally committed to version control, and wide-reaching security flaws can be discovered. While these situations pose security risks, in most cases you can address them without causing any downtime for your app by rotating your client credentials.
Client credentials are also known as app credentials or API keys.
Step 1: Create a new client secret
Anchor link to section titled "Step 1: Create a new client secret"To communicate securely with Shopify’s API, you need to generate a new client secret. You can do this from your app's page in the Partner Dashboard.
- Log in to your Partner Dashboard.
- Click Apps.
- Click the name of the app that you want to rotate client credentials for.
- Click API Access.
- In the Client secret section, click Rotate.
- On the Generate new client secret? screen, click Generate.
The new client secret displays with a New label.
Step 2: Configure webhooks
Anchor link to section titled "Step 2: Configure webhooks"Webhooks are signed with your app's client secret to prevent forgeries. If your app uses webhooks, then configure it to accept both webhooks signed with the new client secret and webhooks signed with the old client secret until after you revoke the old secret.
Step 3: Configure OAuth
Anchor link to section titled "Step 3: Configure OAuth"Access tokens requested from Shopify’s API using the new client secret will be secure. Configure your app to use only the new client secret when acquiring an access token.
Step 4: Generate a new refresh token
Anchor link to section titled "Step 4: Generate a new refresh token"Many of the access tokens that your app stores will be associated with the old client secret. New access tokens must be requested from the Shopify API to work with the new client secret. You'll need a refresh token to generate these new access tokens.
You can generate a refresh token from your app’s page in the Partner Dashboard. Refresh tokens automatically expire after one hour.
Step 5: Request new access tokens
Anchor link to section titled "Step 5: Request new access tokens"Refresh each access token stored by your application by requesting new tokens that use your new client secret and the refresh token:
Include the following required parameters in your requests:
client_id: The client ID for your app.client_secret: The new client secret for your app.refresh_token: The refresh token you created from your app's page in the Partner Dashboard.access_token: The access token you would like to refresh.
Step 6: Revoke the old client secret
Anchor link to section titled "Step 6: Revoke the old client secret"Now your app is using the new client secret to communicate with the Shopify API. The old client secret can now be revoked.
You can revoke the old client secret from your app's page in the Partner Dashboard. Remember that revoking any secret will also remove the access tokens associated with it.
If your app uses webhooks, then configure it to accept webhooks that are signed with the new client secret only.
The following examples show a basic implementation of access token rotation in different programming languages.