Generating secure tokens

If your app relies on tokens to authenticate users, then you must ensure the token is randomly generated with 128 bits of entropy to ensure the security of Shopify merchant data. In some cases, we allow 64 bits where token length is a concern.

If the token will be publicly accessible (for example, included as a parameter in a URL), then you must ensure that the token has an expiration date of no longer than seven days, and you must prevent the token from being leaked to, or indexed, by third parties.

If we detect the use of tokens in your app without sufficient entropy, or tokens that don't expire or can be leaked or indexed by third parties, then your app will be rejected. You'll be required to fix the identified problem before submitting your app for another review.

The following links can be used to generate secure random tokens for several popular programming languages:

When a token is used to authenticate access to private information, you must ensure that the private information can't be indexed by search engines. Google's guide Block Search indexing with 'noindex' explains how to properly configure a HTML meta tag to prevent search indexing. Additionally, any app URL which accepts a token must ensure it includes a Referrer-Policy header in the HTTP response with a value of origin-when-cross-origin or, preferably, no-referrer.