About client credentials

Your app's client credentials (client ID and client secret) authenticate your app when it requests access to a store's data. You can use these credentials to retrieve an access token for API requests or to verify that a webhook request is genuinely from Shopify.

Anchor to Retrieve your app's client credentialsRetrieve your app's client credentials

You can retrieve your app's client credentials in the Dev Dashboard.

1. Open the Dev Dashboard.
2. Click Apps and select your app.
3. Click Settings.
4. View or copy your client ID and secret.

Anchor to Use your credentials to get an access tokenUse your credentials to get an access token

If you're building apps for your own store, you can use your client ID and secret to obtain an API access token.

Use these credentials to programmatically request an access token from Shopify's OAuth endpoint. Replace {shop} with your store name (the part before .myshopify.com).

The response includes your access token:

Include this token in the X-Shopify-Access-Token header when calling Shopify APIs. Tokens expire after 24 hours—request a new one when needed.

For complete code examples in Node.js, Python, and cURL, see Get API access tokens.

Anchor to Verify webhook requestsVerify webhook requests

Use your client secret to verify that incoming webhook requests are genuinely from Shopify. This prevents malicious actors from sending fake webhook data to your app.

Shopify signs each webhook request with an HMAC-SHA256 hash using your client secret. Your app should compute the same hash and compare it to the X-Shopify-Hmac-Sha256 header.

To learn how to implement webhook verification, see Validate the origin of your webhook.

Anchor to Rotate or revoke your app's client credentialsRotate or revoke your app's client credentials

You should rotate the client credentials for your app on a regular basis. To learn how to rotate your app's client secret, refer to Rotate or revoke client credentials.