Shopify API authentication

In order to keep transactions on Shopify’s platform safe and secure, all apps connecting with our APIs must authenticate when making API calls. Some resources, like Storefront API, make a limited subset of store data available to unauthenticated end users.

Types of authentication

There are two methods of authenticating apps and services with Shopify’s platform:

Any web application or service that connects with Shopify’s platform is referred to as an “app,” regardless of how it’s exposed to end users. Different types of apps use different authentication methods.

Be sure you understand the differences between the two types of authentication schemes before you begin your development process.


Unauthenticated APIs

Shopify’s Storefront API is unauthenticated, which means that the data it publishes can be accessed by users without them having to provide a username or password. The storefront access token is all that is needed to access the data, therefore any customers or visitors to the storefront may gain access. You should only use the Storefront API if you are comfortable with this risk, and you should limit which store data can be accessed through the Storefront API.

You can limit which store data is exposed to the Storefront API when you create the storefront access token. If you’ve already created a storefront access token, then you can change the Storefront API permissions to limit what types of store data can be accessed using the storefront access token.

API access modes

Shopify offers two different types of access tokens:

The type of token that you should use depends on the type of app that you’re building.

It’s possible for an application to use both access modes concurrently, using different access tokens when appropriate.

Online access

Online access tokens are linked to an individual user on a store, where the access token's lifespan matches the lifespan of the user's web session. This type of access token is meant to be used when a user is interacting with your application through the web, or when an application must respect an individual user's permission level.

  • This access mode must be explicitly requested in the authorization phase.
  • An API request made using an online mode access token is guaranteed to respect the user's individual permissions. Shopify returns a 403 Forbidden status code when the access token is valid but the user does not have access. Application developers should make sure to handle such a response gracefully.
  • An access token created with this access mode is temporary, and is guaranteed to expire after some amount of time.
  • After an access token has expired, Shopify will return a 401 Unauthorized response code.
  • Users can revoke their own access to your app at any time, without affecting the validity of other users' access tokens.
  • When the user logs out of their Shopify admin area, all online mode access tokens created during the course of the same web session are instantly revoked.
  • It's recommended to keep this type of access token in a user's temporary session storage, backed by a cookie in the user's browser, and make API requests using this access token in response to the user's requests.
  • If your application implements caching to avoid fetching data from Shopify too often, then make sure to scope the cache to each individual user. Since online access mode is guaranteed to respect each user's permission level, caching API responses irrespective of which user's access token was used would most likely result in an inconsistent cache.
  • When this mode is requested and the application is not already installed in a store, the user installing the application must have access to all required scopes, or the installation will fail.
  • After your app is installed, requesting this access mode will always return an access token restricted to the scopes available to the user. The application can inspect scope and associated_user_scope to determine if a user is lacking certain permissions.

Offline access

Offline access tokens are meant for long term access to the store, when no user interaction is involved. This kind of access token is ideal for background work in response to webhooks, or for maintenance work in backgrounded jobs.

  • This is the default access mode when none is specified.
  • The access tokens created with this access mode are permanent; they are revoked only when the application is uninstalled from a store.
  • This access mode is suitable when no user interaction is involved.
  • Authorizing an application multiple times in this access mode will return the same access token each time. After obtaining offline access to a store, it is only necessary to re-authorize an application after it has been uninstalled, or when the application must request additional access scopes.
  • When this mode is requested and the application is not already installed in a store, the user installing the application must have access to all required scopes, or the installation will fail.
  • After the application is installed on a store, all users with Applications permission will be able to successfully complete this OAuth flow again, regardless of their permission level.