This guide introduces you to the authentication and authorization methods that you will use to connect to Shopify's APIs.

## Admin API access for Shopify apps

You can [use Shopify CLI to generate a starter app](/docs/apps/build/scaffold-app) with boilerplate code that handles authentication and authorization.
The starter app includes code for an embedded app that follows app best practices:

- Authorizing your app using [session tokens](/docs/apps/build/authentication-authorization/session-tokens) and [token exchange](/docs/apps/build/authentication-authorization/access-tokens/token-exchange).
- Installing on stores using [Shopify managed installation](/docs/apps/build/authentication-authorization/app-installation).

You should use this starter app unless you need to scaffold an app that is not embedded.

<div class="resource-card-grid">
  <div>
  <a class="resource-card" href="/docs/apps/build/scaffold-app" data-theme-mode="">
    <div class="resource-card__indicator-container"><img
     src="/assets/resource-cards/globe"
     data-alt-src="/assets/resource-cards/globe-dark"
     aria-hidden="true"
     class="resource-card__icon themed-image"></div>
    <h3 class="resource-card__title">
      Scaffold an app
    </h3>
    <p class="resource-card__description">Scaffold an app that follows all authentication and authorization best practices. </p>
  </a>
</div>

</div>



To learn more about the authentication and authorization methods that you can use for Shopify apps, and the libraries that you can use to simplify your implementation, refer to [authentication and authorization](/docs/apps/build/authentication-authorization).

## Access tokens for the Storefront API

All [Storefront API](/docs/api/storefront) requests require a valid Shopify access token. The following types of tokens are available:

- **[Public access tokens](#getting-started-with-public-access)**: Used to make requests from client-side applications, such as a browser or mobile app.

- **[Private access tokens](#getting-started-with-private-access)**: Used to make requests from a server or other private context.

Apps can have a maximum of 100 active storefront access tokens per shop.

### Getting started with public access

Public access tokens enable your app to make Storefront API requests from public contexts like a browser. With public access, capacity scales with the number of buyers based on customer IP. In most cases, this is the IP of someone browsing your site or using your mobile app. Learn more about Storefront API [rate limits](/docs/api/usage/rate-limits#storefront-api-rate-limits).

To use public access, you need to create a public access token for your app by making a request to the GraphQL Admin API's [`storefrontAccessTokenCreate`](/docs/api/admin-graphql/latest/mutations/storefrontAccessTokenCreate) mutation. Alternatively, you can create a [custom app in the Shopify admin](https://help.shopify.com/en/manual/apps/custom-apps), and retrieve your Storefront API access token and manage access scopes from there.

To query the Storefront API with a public access token, include it as an `X-Shopify-Storefront-Access-Token` header on all client-side requests.

### Getting started with private access

Private access tokens let you make authenticated, server-side queries to the Storefront API.

> Caution:
> Unlike public access tokens, private access tokens should be treated as secret and not used on the client-side. We recommend only requesting the scopes that your app needs, to reduce the security risk if the token leaks.


To start using private access, you can use the following methods:

- Add the Headless channel to your Shopify admin.

- Create a [delegate access token](/docs/apps/build/authentication-authorization/access-tokens/use-delegate-tokens) for your custom app.

- Request [unauthenticated scopes](/docs/api/usage/access-scopes#unauthenticated-access-scopes) on an existing access token.

### Making server-side requests



To query the Storefront API with a private access token:

1. Include the `Shopify-Storefront-Private-Token` header with the private access token.

In some cases, a request to the Storefront API isn't linked to buyer traffic, such as during a static site build, however when making server-side requests to the Storefront API as a result of buyer traffic, be sure to also:

2. Include the `Shopify-Storefront-Buyer-IP` (case-sensitive) header with the IP address of the buyer. This allows Shopify to accurately enforce IP-level bot and platform protection, to help your storefront manage traffic from a single user consuming a high level of capacity, such as a bot.

> Caution:
> Failure to include the `Shopify-Storefront-Buyer-IP` (case-sensitive) header, can result in sub-optimal user experiences, including throttled API requests, limited Bot Protection, and unauthenticated flows at checkout as Shopify will not be able to differentiate requests from different buyers.


## Tools

<div class="resource-card-grid">
  <div>
  <a class="resource-card" href="/docs/apps/build/cli-for-apps" data-theme-mode="">
    <div class="resource-card__indicator-container"><img
     src="/assets/resource-cards/resource"
     data-alt-src="/assets/resource-cards/resource-dark"
     aria-hidden="true"
     class="resource-card__icon themed-image"></div>
    <h3 class="resource-card__title">
      Shopify CLI
    </h3>
    <p class="resource-card__description">A command-line tool to help you build Shopify apps faster</p>
  </a>
</div>

<div>
  <a class="resource-card" href="https://github.com/Shopify/shopify-api-ruby" data-theme-mode="">
    <div class="resource-card__indicator-container"><img
     src="/assets/resource-cards/github"
     data-alt-src="/assets/resource-cards/github-dark"
     aria-hidden="true"
     class="resource-card__icon themed-image"></div>
    <h3 class="resource-card__title">
      shopify_api
    </h3>
    <p class="resource-card__description">Shopify’s official Ruby gem for interacting with the Admin API</p>
  </a>
</div>

<div>
  <a class="resource-card" href="https://github.com/Shopify/shopify-app-js/tree/main/packages/apps/shopify-api" data-theme-mode="">
    <div class="resource-card__indicator-container"><img
     src="/assets/resource-cards/github"
     data-alt-src="/assets/resource-cards/github-dark"
     aria-hidden="true"
     class="resource-card__icon themed-image"></div>
    <h3 class="resource-card__title">
      @shopify/shopify-api
    </h3>
    <p class="resource-card__description">Shopify’s official Node library for interacting with the Storefront and Admin APIs, handling OAuth, webhooks, and billing</p>
  </a>
</div>

<div>
  <a class="resource-card" href="https://github.com/Shopify/shopify-app-js/tree/main/packages/api-clients/admin-api-client" data-theme-mode="">
    <div class="resource-card__indicator-container"><img
     src="/assets/resource-cards/node_api"
     data-alt-src="/assets/resource-cards/node_api-dark"
     aria-hidden="true"
     class="resource-card__icon themed-image"></div>
    <h3 class="resource-card__title">
      @shopify/admin-api-client
    </h3>
    <p class="resource-card__description">Shopify’s official lightweight Node library for interacting with the Admin API</p>
  </a>
</div>

</div>



## Next steps

- Authenticate your embedded app using [session tokens](/docs/apps/build/authentication-authorization/session-tokens).
- Authorize your embedded app using a session token with [token exchange](/docs/apps/build/authentication-authorization/access-tokens/token-exchange).
- Authorize your app that is not embedded with [authorization code grant](/docs/apps/build/authentication-authorization/access-tokens/authorization-code-grant).
- Authenticate your app created in the Shopify admin with [access tokens](/docs/apps/build/authentication-authorization/access-tokens/generate-app-access-tokens-admin).