---
title: >-
  Expiring offline access tokens required for new public apps as of April 1,
  2026 - Shopify developer changelog
description: >-
  Shopify’s developer changelog documents all changes to Shopify’s platform.
  Find the latest news and learn about new platform opportunities.
source_url:
  html: >-
    https://shopify.dev/changelog/expiring-offline-access-tokens-required-for-public-apps-april-1-2026
  md: >-
    https://shopify.dev/changelog/expiring-offline-access-tokens-required-for-public-apps-april-1-2026.md
metadata:
  effectiveApiVersion: ''
  affectedApi:
    - displayName: Admin GraphQL API
      handle: admin-graphql
    - displayName: Admin REST API
      handle: admin-rest
  primaryTag:
    displayName: API
    handle: api
  secondaryTag:
    displayName: Deprecation Announcement
    handle: deprecation
  indicatesActionRequired: true
  createdAt: '2026-03-09T11:20:36-04:00'
  postedAt: '2026-03-20T15:30:00-04:00'
  updatedAt: '2026-03-20T15:01:26-04:00'
  effectiveAt: '2026-03-13T12:00:00-04:00'
---

March 20, 2026

Tags:

* Action Required
* Admin GraphQL API
* Admin REST API

# Expiring offline access tokens required for new public apps as of April 1, 2026

We're updating how public apps handle offline access tokens to enhance merchant data protection. Starting April 1, 2026, all new public apps must request and use [expiring offline access tokens](https://shopify.dev/docs/apps/build/authentication-authorization/access-tokens/offline-access-tokens#expiring-vs-non-expiring-offline-tokens).

## What apps are affected

* [Public apps](https://shopify.dev/docs/apps/launch/distribution#capabilities-and-requirements) created on or after April 1, 2026 that call the Admin API

## What apps are not affected

* Public apps created before April 1, 2026
* Custom apps created at any time
* Apps created by merchants either in the Dev Dashboard or in the admin

## Why we’re making this change

Expiring tokens enhance security. If a token is ever leaked, its limited lifespan significantly narrows the risk to both your app and the merchants who trust it. This change aligns with modern OAuth practices, and as a developer it lets you build your app around predictable refresh flows.

## Action required

**New public apps**: Implement expiring offline access tokens. If you use Shopify’s app templates and libraries this is already handled for you.

Need help? Engage with the [dev platform community](https://community.shopify.dev/c/dev-platform/32) for support and questions.