Hi!
In our stores, we have created apps whose only purpose was to provide scoped access to the Shopify API for that store. For example we have [StoreName]ProductCatalog and [StoreName]OrderManagement in nearly every store.
We built these using the Develop Apps button in the App development page in the store’s settings.
They weren’t applications per se, but it was how we handled interaction with the API,
Since 1/1/2026, we can no longer do that, we have to use the Dev Dashboard to build our app, however I cannot figure out how to use or install it.
If I check the “use legacy install flow” checkbox (which seems like the right thing to do) I cannot install my app. Clicking the “Install” button does nothing more than allow me to select one of our stores and redirects me to a Shopify Dev Docs page that says “Find this app in the pages where you work“, nor does it appear in the develop apps in my store.
If I uncheck this checkbox I can successfully install the app on the selected store, but the credentials in the app do not provide access to the Admin API. I simply get a 401 error.
Does anyone have any advice?
Hey @Peter_Anania, you’ve hit on something a lot of folks have been running into since the Jan 1st deprecation.
The “use legacy install flow” checkbox isn’t what you’re looking for here - that’s about how scopes are requested during OAuth, not about getting a displayed access token like the old custom apps had. Apps created in the Dev Dashboard don’t give you a static token in the UI anymore.
The 401 error you’re seeing is because you’re likely trying to use the Client ID and Secret directly as authentication. Instead, you need to exchange them for an access token first.
There are two paths depending on your setup:
If you own both the app and the stores (same organization), client credentials grant is the simplest option. You POST your Client ID and Secret to https://{shop}.myshopify.com/admin/oauth/access_token with grant_type=client_credentials, and you’ll get back an access token.
The catch is these tokens expire every 24 hours, so you’ll need to refresh them periodically.
If you’re a Partner building apps for stores you don’t own, client credentials won’t work - you’ll get that shop_not_permitted error. In that case, you need authorization code grant instead. It’s more setup upfront (you need a callback endpoint to handle the OAuth redirect), but it gives you a non-expiring offline token that works exactly like the old legacy tokens until the app is uninstalled.
Given you mentioned these are internal apps for your own stores, client credentials should work for you. Just make sure the app and store are under the same organization.
I went through this same transition in more detail in this thread which might be helpful context.
1 Like
Thank you Donal. I did eventually figure that out exactly as you describe, and as pointed out… My new issue is updating our Shopify middleware to refresh the token every 24 hours (ugh). 