How to use Shopify’s API with custom app changes?

Dev Platform
,
1

Hello,

I work for a company which has an on-premises product which integrates with Shopify. Our integration uses GraphQL to pull data into our product and to push data into Shopify. This is all done within our product and does not involve any custom Shopify UI.

It appears that in order to use Shopify’s API, it’s a requirement that there must be an app in Shopify to manage authentication and authorization. Currently we request that our customers create a custom app by going to Shopify admin → Settings → Apps and sales channels → Develop apps, and then enter their Admin API Access Token into our product.

This App development page now has a warning stating “Starting January 1, 2026, you will not be able to create new legacy custom apps. This will not impact any existing apps.”

I did some looking into the new custom apps and they seem like they’re not quite the correct tool for what we’re trying to do. For example, it sounds like these apps would have to go through a review process with Shopify. So I want confirmation as to whether UI-less API use cases are now meant to use Dev Dashboard Custom Apps or not.

1 Like
Is it still possible to create a custom app for a single store (Admin + Storefront access) without Partner dashboard / CLI?
Custom App Credentials
Unable to generate Shopify OAuth / Admin API access token
Getting Access token and shopify url after creating a custom app
2

Hi @Jonathon_Minard,

Moving forward all apps will be created and managed via the Dev Dashboard, whether that’s Partner Apps, or Merchant Apps.

For the process that you’ve mentioned, with the merchant creating the app in their store admin directly, this is now replaced with the merchant logging into their Dev Dashboard to create the custom apps. This process is explained in the Shopify.dev documentation:

Any apps created this way, by a Merchant specifically, does not need an app review, and do not need any custom UI. Those requirements are specifically for public apps created by a Partner in the Dev Dashboard, that will be listed on our Shopify App Store directly. They do not apply for custom apps created by Merchants or Partners in the Dev Dashboard.

Here’s some documentation with more info on App Distribution Methods, also it’s good to know that merchants can only create custom apps, they’d need to be logged into a Partner Account in the Dev Dashboard to be able to create a public app that requires the app review previously mentioned.

One further difference that you will notice with this new workflow, is that the access tokens are not immediately available like they were when the app was created in the Admin.

New apps created via the Dev Dashboard, will need to use the new Client Credentials Grant workflow to generate an access token your app can use.

This means, when the merchant creates the app in the Dev Dashboard, they will need to provide you with the Client Id and Client Secret displayed under the app settings in the Dev Dashboard, then you can use those credentials to generate a new access token with the POST https://{shop}.myshopify.com/admin/oauth/access_token HTTP Request.

4 Likes
3

Thanks, that makes sense.

1 Like
4

Hi Kellan,

In the same boat but create custom apps for merchant development stores connected via our Partner account. We do not have a need for distributed apps.

Just looking to double check that the processes are more or less the same when setting up. I’m assuming the merchant will have access when the store is transferred.

Or, do we specifically need to use a staff account that will later become the Store owner account when setting up?

Cheers,

Cee

5

Hi @cee_em,

Currently you are unable to install custom or draft apps on client transfer stores. This is described in the Shopify.dev documentation:

You can’t install custom or draft apps on client transfer stores. Create a dev store in the Dev Dashboard to build and test your app.

In this case you should be transfering the store first, then if you need to create a custom app on the store you can do so after it’s transferred, with a collaborator account, or have the merchant create the custom app in the Dev Dashboard and provide you with the Client ID and Client Secret, to use with the Client Credential Grant Workflow to create an access token for use.

Additionally it is very important to know that you can not install the same app on multiple merchant stores as a custom app. If you are installing the same app on multiple stores, it is required that the app is released as a Public app and does have to go through our App Review Process, though you can leave it as unlisted so only merchants that get the link to install it from you directly can use it.

API Restrictions. When using the Shopify API, you will (and will ensure that your employees, agents and service providers will):

not make Custom Applications available to or for use by more than one Merchant. For the avoidance of doubt, this means that Custom Applications may not be installed by more than one Merchant. For clarity, a Merchant may have more than one Merchant Store.

6

Thanks @Kellan-Shopify

So to confirm, if we want to use Shopify API as per merchant’s request - we can no longer help them while their client transfer store is in development? We can only do it after transferring?

Currently the Shopify Help Center advises we Create up to 10 custom apps for a client transfer store.

Shopify Help Center | Considerations and limitations of client transfer stores

2 Likes
7

Hi @cee_em,

Thank you for sharing that Help Center Documentation, as it does need to be updated to reflect the new changes with the way apps work with the new Dev Dashboard platform.

The relevant documentation in Shopify.dev has been updated after the Dev Dashboard was released and would be the correct one to go by here.

  • You can only install free apps and partner-friendly apps.
  • You can’t install custom or draft apps on client transfer stores. Create a dev store in the Dev Dashboard to build and test your app.

I will be passing feedback internally regarding the Help Center documentation that does need to be updated, I appreciate your help pointing this out for us!

Going forward I would recommend the following:

  1. Submit the app as a Public App, released as either a free app or a partner-friendly app. That way you could install the app on a client transfer store before transferring to the merchant.

Or

  1. Develop the app using a non-client transfer development store for testing. Then on the client transfer store, after transferring the store over have the merchant (or collaborator account) create a custom app from the Dev Dashboard, and provide you with the Client ID and Client Secret to use for authentication with the app you’ve previously developed on the non-client transfer development store.
2 Likes
8

With the unspoken part being how much a delay this can be and how LONG the requirements list has become regardless of unlisted status.
And that will be if there’s ZERO roundtripping from setbacks to get through the review process and ALL it’s requirements which are around 300 strong now for any new dev to go through when touching the platform for their clients.

2 Likes
9

@Kellan-Shopify @Jonathon_Minard

The main difference is not only you need to use the new Client Credentials Grant but also that the new access tokens will only be valid for 24 hours, right?

For current developers like @Jonathon_Minard , they are used to have a permanent access token.

Shopify should mention this big change in many official places to remind developers…

This will be a big issue for many developers…

1 Like
10

HI @Kellan-Shopify

In this post

it says offline access tokens are only valid for 24 hours

But in this post

The offline access tokens seem to be permanent.

Can you clarify for us which one is true?

Thanks.

11

Hi @howtomaketurn,

I can confirm that this is expected behaviour, that the Offline Tokens created by the Client Credentials Grant method is ephemeral and expires after 24 hours, but a new token can be requested very easily, making another POST https://{shop}.myshopify.com/admin/oauth/access_token.

The response to the POST request does also include the expires_in field in the HTTP Response, so the developer can easily see when the token will expire.

All of this is mentioned in the documentation for using Client Credential Grant to authorize the app, but if there’s any other sections of the Shopify.dev documentation you believe this should be mentioned in, we do accept feedback and have a section at the bottom of the documentation pages where you can submit custom feedback directly to our documentation team.

  • Select Was this page helpful? No and you can enter your custom feedback:

12

Hey @Kellan-Shopify, thanks for pointing out the docs. I have already gone through the information about the new Client Credentials Grant flow. I understand how the new approach works and I can confirm that I am able to generate access tokens using the client ID and client secret from the Dev Dashboard after installing the app on the store.

My concern is about the token expiry. With the legacy custom app flow, the process was very simple. We created a custom app directly in the store admin, received an Admin API token immediately, and that token never expired. That made backend integrations very easy since we did not have to rotate anything or run any token generation logic.

With the new Client Credentials Grant flow, the token expires in 24 hours. For many backend setups this is not ideal. Managing token rotation adds extra complexity that we never had to deal with in the legacy flow.

From the documentation, I see that the Authorization Code Grant can still generate an offline access token that does not expire. The question is how practical it is to use this method for simple backend integrations. It looks more involved compared to the old custom app process. The docs mention that Shopify app templates already include this flow, but in this case I am not using any template. I am only creating an app in the Dev Dashboard and installing it on the store.

So I want to understand:

  1. Is it still possible to generate a permanent offline Admin API token with an app created in the Dev Dashboard without using the full app template setup?

  2. If yes, what is the recommended way to implement the Authorization Code Grant flow for a simple backend integration that only needs a stable Admin API token?

  3. If no, does that mean the only path forward is to manage rotating 24 hour tokens with Client Credentials Grant?

The legacy custom app model was very straightforward for these scenarios, so any guidance on the easiest path for permanent tokens would be really helpful.

One more thing I wanted to clarify. I have attach a screenshot below for reference. In the legacy custom app view inside the store admin, I can still see three sections on the API credentials page:

image
image755×856 62.6 KB

• Admin API access token
• Storefront API access token
• API key and API secret key

With the new Dev Dashboard app flow, I understand that the Admin API token is no longer shown here and must now be generated using the client ID and client secret from the Dev Dashboard. Since that token lasts only 24 hours, that part is clear.

But I’m not sure how the other fields map to the new system. Specifically:

  1. Is the Storefront API access token removed entirely in the new Dev Dashboard apps, or does it appear somewhere else?

  2. In the legacy custom app page, the “API key” and “API secret key” were always visible. Are these the same as the new “Client ID” and “Client Secret” from the Dev Dashboard, or are they different concepts?

I want to understand the exact mapping between the old fields and the new fields so I can update our internal documentation correctly.

Thanks!

1 Like
13

Hi @Anish_Dalvi ,

I completely understand where you’re coming from, in that it was definitely easier to manage access tokens for Legacy Custom Apps created from the Store’s admin, without having to deal with token rotation, etc. I will definitely be submitting some feedback on your behalf internally that you would like to see a way to generate a permanent Admin API and Storefront API Access Token with the Client Credential Grant workflow as well.

As for your questions specifically:

  1. Is it still possible to generate a permanent offline Admin API token with an app created in the Dev Dashboard without using the full app template setup?
  • Yes, you can absolutely implement the Authorization Code Grant workflow that these templates use, manually. This will allow you to generate a permanent offline access token.
  1. If yes, what is the recommended way to implement the Authorization Code Grant flow for a simple backend integration that only needs a stable Admin API token?

  • We do have some documentation here to walk you through how to implement the Authorization Code Grant manually on your app that was not created with any existing app templates or frameworks.

  • Please note that this will require a front end UI element to the app, as it would require the app to redirect the user to the app scope approval page, in order to approve and generate an authorization code used in the process, as well as a Redirect URI that Shopify uses to send the customer to your app’s UI after installation.

  • If your app is purely a back end only app, with no user UI at all, I would recommend sticking with the Client Credentials Grant workflow.

Regarding the details on the Legacy Custom App in the Admin:

  1. Is the Storefront API access token removed entirely in the new Dev Dashboard apps, or does it appear somewhere else?

  • The Storefront API token is not available via the Dev Dashboard directly, but you can retrieve one with a storefrontAccessTokenCreate Admin API mutation

  • Please note that your app will need to have at least one of the unauthenticated... access scopes before it can request a Storefront Access Token.

  • You do also need to enable the Storefront API from the Partner Dashboard as well, which can be accessed from the Dev Dashboard, on the same app > settings page where you see the Client Credentials.

  1. In the legacy custom app page, the “API key” and “API secret key” were always visible. Are these the same as the new “Client ID” and “Client Secret” from the Dev Dashboard, or are they different concepts?
  • This is correct, the Client ID would be the API Key, and the Client Secret would be the API Secret Key.
14

Hi @Kellan-Shopify Thanks for the clarification. I just want to confirm one last point so we can plan the multi-domain setup correctly.

My app is an extension-only app created in the Dev Dashboard as our store has some shopify extensions that are used. It has the Storefront API enabled in the Partner Dashboard and it includes the unauthenticated scopes. Based on your explanation, I understand that the correct way to create Storefront API tokens is through the storefrontAccessTokenCreate Admin GraphQL mutation.

For our use case, we need multiple Storefront API tokens so that external domains can create carts using the Storefront API. Since the documentation says that an app can generate up to 100 active Storefront API tokens, this should allow us to support each domain without creating multiple apps.

Can you confirm that:

  1. An extension-only Dev Dashboard app can generate Storefront API tokens using the storefrontAccessTokenCreate mutation as long as it has the unauthenticated scopes enabled.

  2. Those tokens can be used independently across different external domains for cart creation.

  3. Using a single app for generating multiple Storefront API tokens is the recommended approach for a multi-domain setup, instead of creating separate apps per domain. Since, this storefront api tokens will be used by different domains for creating cart / checkouts, I think that rather than creating a separate app for this (without any template), I can make use of my existing extension-only app which is already used for running Shopify Extensions to generate those tokens. Moreover, The mutation will be executed from our gadget.dev backend, which handles OAuth for the app and has the Admin API access token.

Once I have your confirmation, I’ll proceed with generating the tokens programmatically.

Thanks again for your help.

15

Hi @Anish_Dalvi,

Thanks for the additional context, I’m happy to help answer your further questions!

Regarding the 100 active Storefront tokens, this is per shop so you can definitely create multiple storefront tokens per storefront domain, as long as they are on the same shop specifically.

If you wanted to make Storefront API calls on multiple Shopify shops with multiple storefronts, then you’ll need to install the app on each individual shop and generate the tokens for that shop’s storefronts.

However, as you said this is with an extension only app, the correct way to make Storefront API calls would be via the Extension’s Direct Access API.

For example with Checkout UI Extensions, you simply have to add api_access = true to your extension toml configuration file, then you can make Storefront API calls via the Extension’s Storefront API connector or via the fetch method, without having to deal with manually generating and managing access tokens.

The process is the same for Customer Account Extensions, but may not be the same for all Extensions, so definitely review the documentation for the specific Extension type that you are working with.

1 Like
16

Hello @Kellan-Shopify, this post is currently by far the most valuable source of information on the changes to API authentication – thank you very much for that!

My company offers a pure on-premises backend application without a user interface. We only access our customers’ shops in the role of a collaborator. This allows us to create applications on the legacy page for custom applications without the shop owner having to take any further action besides granting collaborator access initially.

To my knowledge, apps created in our own Dev Dashboard (which we access via our Partner Dashboard) are not eligible for the client credentials grant auth flow to request access tokens from stores that we do not own, but only collaborate with. Is this understanding correct?

Is there a role or permission that the shop owner can give us so that we, as collaborators, can access the customer organization’s Dev Dashboard?

Thank you very much! David

17

Hi @systrion-david,

I’m afraid that this is expected behaviour due to the way that Collaborator accounts are connected to individual stores rather than the Merchant Organization that owns the Store, meaning it’s not possible to create a Custom App from a Collaborator account in the Dev Dashboard, and use Client Credential Grant with the app installed on a Merchant store.

I’ve discussed this with our developers, and they are aware of this behaviour and how it affects the previous workflow that partners like yourseld used to use with Legacy Custom Apps created in the Merchant’s Admin. I’ve submitted some feedback on your behalf that you’d like to be able to create Custom Apps from a Merchant Organization’s Dev Dashboard using a Partner Collaborator account in order to use Client Credential Grant authorization.

While I can’t guarantee when or if this will be added, I can assure you that our developers and product managers do take all of our merchant and partner feedback in great value when determining future updates and features added to the platform.

In the meantime, your options are as follows:

  1. Create the app using Collaborator account, and authenticate with Authorization Code Grant or Session Token Exchange

or

  1. Have the merchant create the app via their Dev Dashboard, and provide you with the Client Id and Client Secret for the app, so you can use the Client Credential Grant authorization method with that store/app combo.
1 Like
18

Hi @Kellan-Shopify

Apologize for the late reply as I was on out of office.

Thanks for the clarification earlier. I want to make sure I explain my setup correctly so there’s no confusion.

My app is an extension-only app created in the Dev Dashboard. It does include Checkout UI Extensions or Customer Account UI Extensions but the Direct Access API inside an extension runtime does not apply to my use case.

Our need is different:

We have external front-ends (not running inside Shopify, not extensions) that need to use the Storefront API. For that, we need two separate Storefront API tokens. Since the new flow requires generating these tokens through the storefrontAccessTokenCreate Admin API mutation, we are trying to set this up correctly.

To test this, I tried running the mutation directly in the Shopify GraphiQL app, but I get:

Access denied for storefrontAccessTokenCreate field.

This makes sense because the GraphiQL app doesn’t have the necessary scopes.

So I want to confirm the correct approach:

  1. The mutation can only be run by an app installed on the store that has:
    • Storefront API enabled from the Partner/Dev Dashboard
    • The required unauthenticated access scopes

  2. My extension-only app has those scopes and Storefront API enabled, so I should be able to run the mutation from my app’s backend (in my case, Gadget.dev) using the Admin API token of this app.

  3. If the mutation succeeds, the generated Storefront API tokens can be used freely by my external front-ends for creating carts and running Storefront API operations.

Can you confirm this is the right setup?
If yes, I’ll proceed with running the mutation through my extension-only app’s backend instead of GraphiQL.

19

Hi @Anish_Dalvi,

Thanks for the additional context on your app structure here.

I can confirm that everything you stated is correct. However it’s important to know that if your app does have an externally hosted front end or back end, this is not considered an Extension Only app, as these are specifically apps that ONLY contain extensions hosted on the Shopify platform.

Extension only apps don’t need to deal with authentication and token generation, as is built in with the Direct API Access configuration as you mentioned.

Essentially, since your app does have a separate Front End and Back End, hosted externally to make Storefront and Admin API calls outside of the extensions themselves and has an Admin API token received through app authentication instead of using Direct API Access, this would be considered a non-embedded and non-extension only app.

In this case you will need to ensure that you have valid URL’s pointing to your app’s front end and authentication routes, set in your App’s shopify.app.toml configuration file for the application_url and redirect_uris required for app authentication and authorization, as mentioned in the following docs:

Other than that, all of your points are correct about how to access the Storefront API from your app, via the Storefront API token generated via the app’s back end.

20

Hey @Kellan-Shopify

Thanks a lot for the quick reply and clarification. And yeah, I explained it a bit wrong earlier. Since we use Gadget.dev, our app does contain a few extensions, so I loosely called it an “extension-only” app. But I understand now that because we also have an external backend and some front ends consuming the APIs, the app doesn’t fall into the extension-only category.

We already have a proper shopify.app.toml with the app URL and redirect URLs set up, so the authentication and authorization flow is covered on our side. Based on your confirmation, I’ll run the storefrontAccessTokenCreate mutation from our backend, and that should let us generate the Storefront API tokens we need for our external front ends to create carts and checkouts.

Thanks again for confirming the flow. Everything is clear now.

One small UI note: on the community forum, the reaction icons under posts don’t seem to appear in either light or dark mode unless I hover directly over them. I tested in normal and incognito windows and saw the same thing. Just wanted to flag it in case the team wants to take a look. Here is the small loom

Let me know if you need anything else, and thanks again for the help.

1 Like