--- title: About client credentials description: >- Learn how to acquire and use your app's client credentials to authenticate API requests and verify webhooks. source_url: html: >- https://shopify.dev/docs/apps/build/authentication-authorization/client-secrets md: >- https://shopify.dev/docs/apps/build/authentication-authorization/client-secrets.md --- # About client credentials Your app's client credentials (client ID and client secret) authenticate your app when it requests access to a store's data. You can use these credentials to retrieve an access token for API requests or to verify that a webhook request is genuinely from Shopify. *** ## Retrieve your app's client credentials You can retrieve your app's client credentials in the [Dev Dashboard](https://shopify.dev/docs/apps/build/dev-dashboard). 1. Open the [Dev Dashboard](https://shopify.dev/docs/apps/build/dev-dashboard). 2. Click **Apps** and select your app. 3. Click **Settings**. 4. View or copy your client ID and secret. ![Dev Dashboard settings page showing the Client ID and Secret fields.](https://shopify.dev/assets/assets/images/apps/dev-dashboard/app-settings-BERWjF61.png) *** ## Use your credentials to get an access token If you're building apps for your own store, you can use your client ID and secret to obtain an API access token. **Info:** If you're building apps for other merchants, use [Shopify CLI](https://shopify.dev/docs/apps/build/cli-for-apps), which handles authentication automatically. Use these credentials to programmatically request an access token from Shopify's OAuth endpoint. Replace `{shop}` with your store name (the part before `.myshopify.com`). ## POST https://{shop}.myshopify.com/admin/oauth/access\_token ```text Content-Type: application/x-www-form-urlencoded grant_type=client_credentials &client_id={your_client_id} &client_secret={your_client_secret} ``` The response includes your access token: ## Response ```json { "access_token": "shpat_xxxxx", "scope": "read_products,write_products", "expires_in": 86399 } ``` Include this token in the `X-Shopify-Access-Token` header when calling Shopify APIs. Tokens expire after 24 hours—request a new one when needed. For complete code examples in Node.js, Python, and cURL, see [Get API access tokens](https://shopify.dev/docs/apps/build/dev-dashboard/get-api-access-tokens). *** ## Verify webhook requests Use your client secret to verify that incoming webhook requests are genuinely from Shopify. This prevents malicious actors from sending fake webhook data to your app. Shopify signs each webhook request with an HMAC-SHA256 hash using your client secret. Your app should compute the same hash and compare it to the `X-Shopify-Hmac-Sha256` header. To learn how to implement webhook verification, see [Validate the origin of your webhook](https://shopify.dev/docs/apps/build/webhooks/subscribe/https#step-2-validate-the-origin-of-your-webhook-to-ensure-its-coming-from-shopify). *** ## Rotate or revoke your app's client credentials You should rotate the client credentials for your app on a regular basis. To learn how to rotate your app's client secret, refer to [Rotate or revoke client credentials](https://shopify.dev/docs/apps/build/authentication-authorization/client-secrets/rotate-revoke-client-credentials). ***