--- title: >- Expiring offline access tokens required for all public apps as of January 1, 2027 - Shopify developer changelog description: >- Shopify’s developer changelog documents all changes to Shopify’s platform. Find the latest news and learn about new platform opportunities. source_url: html: >- https://shopify.dev/changelog/expiring-offline-access-tokens-required-for-all-public-apps-as-of-january-1-2027 md: >- https://shopify.dev/changelog/expiring-offline-access-tokens-required-for-all-public-apps-as-of-january-1-2027.md metadata: effectiveApiVersion: '' affectedApi: - displayName: Admin GraphQL API handle: admin-graphql - displayName: Admin REST API handle: admin-rest primaryTag: displayName: API handle: api secondaryTag: displayName: Breaking API Change handle: breaking-api-change indicatesActionRequired: true createdAt: '2026-05-06T17:23:56-04:00' postedAt: '2026-05-20T12:00:00-04:00' updatedAt: '2026-05-19T13:48:14-04:00' effectiveAt: '2026-05-11T12:00:00-04:00' --- May 20, 2026 Tags: * Action Required * Admin GraphQL API * Admin REST API # Expiring offline access tokens required for all public apps as of January 1, 2027 We're changing how public apps handle offline access tokens to enhance merchant data protection. Starting January 1, 2027, all public apps must use [expiring offline access tokens](https://shopify.dev/docs/apps/build/authentication-authorization/access-tokens/offline-access-tokens#expiring-vs-non-expiring-offline-tokens) when calling the Admin API. After that date, public apps still using non-expiring tokens will receive authentication errors. This extends the [April 1, 2026 change](https://shopify.dev/changelog/expiring-offline-access-tokens-required-for-public-apps-april-1-2026), which applied only to newly created public apps, to all public apps, including those created before April 1, 2026. ## What apps are affected [Public apps](https://shopify.dev/docs/apps/launch/distribution#capabilities-and-requirements) making Admin API requests using non-expiring offline access tokens, including apps created before April 1, 2026 ## What apps are unaffected * Custom apps * Apps created by merchants either in the Dev Dashboard or in the admin ## Why we're making this change Non-expiring tokens, if leaked, remain valid indefinitely. Expiring tokens close that window in 60 minutes and rotate automatically, dramatically reducing the impact of a credential leak. This aligns with modern OAuth best practices, and as a developer it gives your app a predictable refresh flow. ## Action required **Existing public apps**: Migrate from non-expiring to expiring offline access tokens. Merchants don't need to reinstall, as your app exchanges existing tokens through code. Follow the [migration guide](https://shopify.dev/docs/apps/build/authentication-authorization/access-tokens/offline-access-tokens#migrating-from-non-expiring-to-expiring-tokens) for the step-by-step path. If you use Shopify's app templates and official API libraries, refresh handling is already implemented; you only need to handle the token exchange and storage updates. Need help? Engage with the [dev platform community](https://community.shopify.dev/c/dev-platform/32) for support and questions.