Create a delegate access token
Create a delegate access token to authenticate server requests to the Admin (GraphQL and REST) and Storefront APIs. You need only one delegate access token for a shop, unless you need to rotate the tokens or change the access scopes that are available to the token.
This guide describes how to create a delegate access token.
RequirementsAnchor link to section titled "Requirements"
You're familiar with API authentication.
You've retrieved an access token for the Admin API.
You can make an authenticated request to the Admin API for a parent token, which you'll use to authenticate your request for delegate access token.
You've reviewed the delegate access token overview, including the limitations and considerations.
Step 1: Create a delegate access tokenAnchor link to section titled "Step 1: Create a delegate access token"
Request a token from the GraphQL Admin or REST Admin API.
Step 2 (Optional): Make server requests from the Storefront APIAnchor link to section titled "Step 2 (Optional): Make server requests from the Storefront API"
For server requests to the Storefront API, consider the following best practices:
Include the delegate access token in a
Shopify-Storefront-Private-Tokenheader on server requests (best practice).
There are some cases when the API request isn't on behalf of a buyer, such as during a static site build, where the header isn't needed.
For handling buyer requests, when possible, always include the
Shopify-Storefront-Buyer-IPheader on server requests.
Shopify-Storefront-Buyer-IP header enables the platform to impose IP-level bot and platform protection. This helps the storefront manage traffic from a single user consuming a high level of capacity, such as a bot.
API descriptionsAnchor link to section titled "API descriptions"
|REST property||GraphQL field||Required?||Description|
||Yes||The list of scopes that will be delegated to the new access token.|
||No||The amount of time, in seconds, after which the delegate access token is no longer valid.
The requirements for this parameter depend on whether the parent access token is set to expire: