This guide provides detailed steps for authenticating with Shopify's GraphQL Admin API.
Shopify offers two main authentication approaches:
- OAuth for public apps and custom apps created in the Partner Dashboard
- Direct token generation for custom apps created in the Shopify admin
This approach is required for public apps and custom apps created in the Shopify Partner Dashboard.
- Go to Shopify Partners and log in
- Navigate to Apps > Create app
- Select "Public App" or "Custom App" as appropriate
- Fill in the app details and save
- In your app settings, go to "App setup"
- Add a redirect URL (where users will be sent after authorizing your app)
- For development, use something like:
https://localhost:3000/auth/callback
- For development, use something like:
- Save your changes
- Note your API key and API secret key from the app settings
- Keep these secure and do not share them publicly
The OAuth flow involves:
- Redirecting the merchant to Shopify's authorization URL:
https://{shop}.myshopify.com/admin/oauth/authorize?client_id={api_key}&scope={scopes}&redirect_uri={redirect_uri}&state={nonce}
- After the merchant approves, they'll be redirected to your redirect URL with a code parameter
- Exchange this code for a permanent access token:
POST https://{shop}.myshopify.com/admin/oauth/access_token
{
"client_id": "{api_key}",
"client_secret": "{api_secret}",
"code": "{authorization_code}"
}
- Store the returned access token securely
- Add this token to your
.envfile asSHOPIFY_ACCESS_TOKEN
This approach is simpler but only works for custom apps created in the Shopify admin.
- Log in to your Shopify admin
- Go to Apps > Develop apps
- Click "Create an app"
- Name your app and select "Configure Admin API scopes"
- Select all the required API access scopes your app needs
- Common scopes include:
read_products,write_productsfor product operationsread_orders,write_ordersfor order operationsread_customers,write_customersfor customer operations
- Only request the minimum scopes required for your app to function
- After configuring scopes, click "Install app"
- Shopify will generate an Admin API access token
- Important: Copy this token immediately, as you won't be able to see it again
- Add this token to your
.envfile asSHOPIFY_ACCESS_TOKEN
After obtaining your access token through either method:
- Copy the
.env.examplefile to.env:
cp .env.example .env- Edit the
.envfile:
SHOPIFY_ACCESS_TOKEN=your_access_token_here
SHOPIFY_STORE_NAME=your_store_name_here
SHOPIFY_API_VERSION=2025-01
Replace your_store_name_here with your store's name (the part before .myshopify.com).
After setting up your authentication, you can test it with a simple GraphQL query:
query {
shop {
name
myshopifyDomain
primaryDomain {
url
}
}
}If successful, you should receive shop information in the response.
- Never commit your access token to version control
- Store your
.envfile outside of version control (add it to.gitignore) - Rotate your access tokens periodically
- Only request the specific scopes your app needs
- Handle tokens securely in your application
- Consider using a secrets management solution for production environments
If you encounter authentication errors:
- Verify your access token is correct and not expired
- Confirm your app has the necessary scopes for the operations you're attempting
- Check that you're using the correct store name
- Ensure you're using a supported API version
- Verify the "X-Shopify-Access-Token" header is being sent correctly