Shopify has deprecated REST in favor of GraphQL and is planning to turn off Access Token Auth for new custom apps starting 2026. As Access Tokens are being deprecated, are you recommending everyone move to OAuth.
Please confirm
1 Like
Hi @Test_Test1,
Access Tokens are not actually being deprecated, just how they are generated is being changed for Custom Apps moving forward.
This is due to the fact that Custom Merchant Apps are no longer created in the Shopify Store Admin, and are now created in the Dev Dashboard for both Custom Merchant Apps, and Custom Partner Apps.
Moving forward there are multiple ways for custom apps to generated Access Tokens, with the new Client Credential Grant, being the simplest for Custom Merchant Apps.
-
Using the client credentials grant
- Simplest method, you just make a
POST https://{shop}.myshopify.com/admin/oauth/access_tokenHTTP Request, passing the Client ID and Client Secret in the request body, with it returning the access token. - The Client ID and Client Secret can be retrieved from the Dev Dashboard
- This can only be used on apps created from the organization that owns the store it’s installed on. Meaning you have to be logged into the Dev Dashboard with a Store Staff Member account when creating the app and installing it on the same store, or a Partner Account when installing it on a Partner Development Store, in order to use this authentication method
- Simplest method, you just make a
-
Implement authorization code grant manually
- This is the standard OAuth method you mentioned above.
-
Exchange a session token for an access token
- This token exchange method is specifically for embedded apps using Session Tokens
3 Likes
are you recommending everyone move to OAuth.
We’re not recommending that everyone should move to OAuth - you should pick the authentication method that is most suitable for your type of app, whether that is the the client credentials grant flow, OAuth or access token exchange.
1 Like