Create a delegate access token
Create a delegate access token to authenticate server requests to the Admin (GraphQL and REST) and Storefront APIs. You need only one delegate access token for a shop, unless you need to rotate the tokens or change the access scopes that are available to the token.
This guide describes how to create a delegate access token.
Requirements
Anchor link to section titled "Requirements"You're familiar with API authentication.
You've retrieved an access token for the Admin API.
You can make an authenticated request to the Admin API for a parent token, which you'll use to authenticate your request for delegate access token.
You've reviewed the delegate access token overview, including the limitations and considerations.
Step 1: Create a delegate access token
Anchor link to section titled "Step 1: Create a delegate access token"Request a token from the GraphQL Admin or REST Admin API.
The following example requests an access token with write_orders
permissions. It also sets an expires_in
value.
Step 2 (Optional): Make server requests from the Storefront API
Anchor link to section titled "Step 2 (Optional): Make server requests from the Storefront API"For server requests to the Storefront API, consider the following best practices:
Include the delegate access token in a
Shopify-Storefront-Private-Token
header on server requests (best practice).There are some cases when the API request isn't on behalf of a buyer, such as during a static site build, where the header isn't needed.
For handling buyer requests, when possible, always include the
Shopify-Storefront-Buyer-IP
header on server requests.
Passing the Shopify-Storefront-Buyer-IP
header enables the platform to impose IP-level bot and platform protection. This helps the storefront manage traffic from a single user consuming a high level of capacity, such as a bot.
API descriptions
Anchor link to section titled "API descriptions"REST property | GraphQL field | Required? | Description |
---|---|---|---|
delegate_access_scope |
delegateAccessScope |
Yes | The list of scopes that will be delegated to the new access token. |
expires_in |
expiresIn |
No | The amount of time, in seconds, after which the delegate access token is no longer valid. The requirements for this parameter depend on whether the parent access token is set to expire:
expires_in provided, the token expires at the same time as the token that's used to create the delegate. If an offline token generates the delegate, then the delegate token doesn't expire. For more on the differences between online and offline tokens, refer to our access mode documentation. |
- Learn more about delegate access tokens, including how they work and when to use them.
- Learn about rate limiting in the Storefront API.