Deprication Admin App

AdminGh · October 31, 2025, 6:50pm

I want to express my concern about this deprication change. I understand the move to dev-dashboard but the fact you cannot create an access token for machine2machine integrations is in my opinion completely unacceptable. Most of those apps are not apps at all but integrations.

In my opinion this is not improving security at all:

You get a wild grown of the basic app templates to get the access token via console.log or db. So you skip the on time reveal and have lots of simple db’s just for the token whits the merchants needs to keep save next to the integration party.
Because of the hoops merchants will create one token with all scopes and use that for multiple integrations.

It feels like the wrong direction in all regards. An IT department of a big semi-goverement company came with the idea to force users to change there password every 2 months and could not overlap more than 20% and could not been previous passwords. From technical standpoint this sounds great. In practice: sticky note of the new password under each keyboard.

TerenceShopify · October 31, 2025, 7:36pm

We added support for the OAuth 2 Client Credentials grant to support the system-to-system use case you’re describing. It does require an extra API request to acquire access tokens relative to custom apps in the admin, but we feel strongly that this is a net positive change relative to the security risk that unlimited TTL tokens present.

AdminGh · October 31, 2025, 8:06pm

@TerenceShopify I see and this makes thinks a little bit better.

Question: Can we generate multiple valid access tokens after each other and will they all be valid simultaneously? Ideal for stateless apps on for example Cloud Run / Cloud Functions. Aka generate an access token while spinning up and store in memory.

Nevertheless I for see the new GenerateAccessToken Apps ~ You select the scopes, we provide the tokenapps in the app store, would you agree?

TerenceShopify · November 5, 2025, 4:20pm

Yes, you can have multiple active tokens at the same time. Requesting a new token does not invalidate older tokens. Note that within 60s the same token will be issued, although this should work fine for your stateless use case.

Topic		Replies	Views
[API] Invalid API key or access token (unrecognized login or wrong password) Authentication & Access oauth , access-scopes	3	96	June 10, 2025
Refresh Offline Access Token Scope - Post Install Shopify CLI and Libraries remix	1	183	January 28, 2025
Welcome to the Authentication & Access Board! Authentication & Access oauth , access-scopes	3	262	October 30, 2024
Sudden invalidation of offline access tokens? Authentication & Access oauth	9	344	February 4, 2025
{"errors": "[API] Invalid API key or access token (unrecognized login or wrong password)"} GraphQL Admin API Troubleshooting general-gql-troubles	14	1687	November 14, 2024

Deprication Admin App

Related topics