Create a delegate access token
Create a delegate access token to authenticate server requests to the Admin (GraphQL and REST) and Storefront APIs. You need only one delegate access token for a shop, unless you need to rotate the tokens or change the access scopes that are available to the token.
This guide describes how to create a delegate access token.
Requirements
Anchor link to section titled "Requirements"You're familiar with API authentication.
You've retrieved an access token for the Admin API.
You can make an authenticated request to the Admin API for a parent token, which you'll use to authenticate your request for delegate access token.
You've reviewed the delegate access token overview, including the limitations and considerations.
Step 1: Create a delegate access token
Anchor link to section titled "Step 1: Create a delegate access token"Request a token from the GraphQL Admin or REST Admin API.
The following example requests an access token with write_orders
permissions. It also sets an expires_in
value.
Step 2 (Optional): Make server-side requests to the Storefront API
Anchor link to section titled "Step 2 (Optional): Make server-side requests to the Storefront API"To query the Storefront API with a delegate access token:
- Include the
Shopify-Storefront-Private-Token
header with the delegate access token.
In some cases, a request to the Storefront API isn't linked to buyer traffic, such as during a static site build, however when making server-side requests to the Storefront API as a result of buyer traffic, be sure to also:
- Include the
Shopify-Storefront-Buyer-IP
(case-sensitive) header with the IP address of the buyer. This allows Shopify to accurately enforce IP-level bot and platform protection, to help your storefront manage traffic from a single user consuming a high level of capacity, such as a bot.
API descriptions
Anchor link to section titled "API descriptions"REST property | GraphQL field | Required? | Description |
---|---|---|---|
delegate_access_scope |
delegateAccessScope |
Yes | The list of scopes that will be delegated to the new access token. |
expires_in |
expiresIn |
No | The amount of time, in seconds, after which the delegate access token is no longer valid. The requirements for this parameter depend on whether the parent access token is set to expire:
expires_in provided, the token expires at the same time as the token that's used to create the delegate. If an offline token generates the delegate, then the delegate token doesn't expire. Learn more about the differences between online and offline access tokens. |
- Learn more about delegate access tokens, including how they work and when to use them.
- Learn about rate limiting in the Storefront API.