Shopify API authentication
This guide introduces the different methods of authenticating and authorizing apps with Shopify’s platform. Make sure that you understand the differences between the types of authentication and authorization schemes before you begin your development process.
Authentication vs authorization
Anchor link to section titled "Authentication vs authorization"Authentication is the process of verifying the identity of the user or the app. To keep transactions on Shopify’s platform safe and secure, all apps connecting with Shopify APIs must authenticate when making API requests.
Authorization is the process of giving permissions to apps. App users can authorize Shopify apps to access data in a store. For example, an app might be authorized to access orders and product data in a store.
Types of authentication and authorization methods
Anchor link to section titled "Types of authentication and authorization methods"The authentication or authorization methods that you app needs to use depends on the tool that you used to create your app, and the components that your app uses.
- All apps that are created using Shopify CLI or through the Partner Dashboard use OAuth.
- If the app is embedded in the Shopify admin using App Bridge, then your app also uses session tokens.
- Apps that are created in the Shopify admin use access tokens that are generated in the Shopify admin.

API access modes
Anchor link to section titled "API access modes"When you create an API access token for the Shopify Admin API during the OAuth flow, you can choose between two access modes: offline and online. For more information, refer to Access modes.
Access tokens for the Storefront API
Anchor link to section titled "Access tokens for the Storefront API"All Storefront API requests require a valid Shopify access token. The following types of tokens are available:
Public access tokens: Used to make requests from client-side applications, such as a browser or mobile app.
Authenticated access tokens: Used to make requests from a server or other private context.
Apps can have a maximum of 100 active storefront access tokens per shop.
Getting started with public access
Anchor link to section titled "Getting started with public access"Public access tokens enable your app to make Storefront API requests from public contexts like a browser. With public access, capacity scales with the number of buyers based on customer IP. In most cases, this is the IP of someone browsing your site or using your mobile app. Learn more about Storefront API rate limits.
To use public access, you need to create a public access token for your app by making a request to the GraphQL Admin API's storefrontAccessTokenCreate
mutation or the REST Admin API's StorefrontAccessToken
resource. Alternatively, you can create a custom app in the Shopify admin, and retrieve your Storefront API access token and manage access scopes from there.
To query the Storefront API with a public access token, include it as an X-Shopify-Storefront-Access-Token
header on all client-side requests.
Getting started with authenticated access
Anchor link to section titled "Getting started with authenticated access"Private access tokens let you make authenticated, server-side queries to the Storefront API.
To start using private access, you can use the following methods:
Add the Headless channel to your Shopify admin.
Create a delegate access token for your custom app.
Request unauthenticated scopes on an existing access token.
To query the Storefront API with a private access token, include it as a Shopify-Storefront-Private-Token
header on all server-side requests. Never expose a private access token in client-side code.
Optional IP header
Anchor link to section titled "Optional IP header"It's best practice to include the Shopify-Storefront-Buyer-IP
header if you're using authenticated access for handling buyer requests.
Passing the Shopify-Storefront-Buyer-IP
header enables the platform to impose IP-level rate limiting as an added protection against a single user, such as a bot, consuming a high level of capacity.
- Authorize your app that was created in the Partner Dashboard or Shopify CLI using OAuth.
- Authenticate your admin-created custom app with access tokens.
- Authenticate your embedded app using session tokens.