Expiring offline access tokens required for new public apps as of April 1, 2026

We're updating how public apps handle offline access tokens to enhance merchant data protection. Starting April 1, 2026, all new public apps must request and use expiring offline access tokens.

What apps are affected

• Public apps created on or after April 1, 2026 that call the Admin API

What apps are not affected

• Public apps created before April 1, 2026
• Custom apps created at any time
• Apps created by merchants either in the Dev Dashboard or in the admin

Why we’re making this change

Expiring tokens enhance security. If a token is ever leaked, its limited lifespan significantly narrows the risk to both your app and the merchants who trust it. This change aligns with modern OAuth practices, and as a developer it lets you build your app around predictable refresh flows.

Action required

New public apps: Implement expiring offline access tokens. If you use Shopify’s app templates and libraries this is already handled for you.

Need help? Engage with the dev platform community for support and questions.