Reading orders without installing an app

Products and Orders APIs
,
1

Hello,

I’m building a website, and I would like to use the Shopify API for reading orders. I understand that I need an access token, so basically, I need to install the app. When I try to install it, it redirectt me to choose a store and then to example.com (which doesn’t exist). I’m currently developing on localhost so I don’t have a link for my website yet on https yet.

2

Hi @Ibrahim_Shukha! The redirect to example.com actually suggests your app installed successfully. That URL is the application_url placeholder, which only matters if you’re building an embedded app with a UI. For your use case (reading orders from a backend), you can ignore it entirely.

The next step is getting an access token, and the right method depends on your setup:

If you own the store, the simplest option is the client credentials grant. Grab the Client ID and Client Secret from your app’s Settings in the Dev Dashboard, then POST to https://{shop}.myshopify.com/admin/oauth/access_token with grant_type=client_credentials. No redirects or HTTPS needed on your end. These tokens expire after 24 hours, so you’ll need to refresh periodically.

If you don’t own the store (e.g., building for a client), you’ll need either authorization code grant for non-embedded apps, or token exchange for embedded apps. Both require HTTPS redirect URLs, but if you’re using Shopify CLI, running shopify app dev handles this automatically via Cloudflare tunnels.

Let me know which scenario fits and I can expand further on how to get the access token to use in your API requests

4

Thanks for your input.

I own the Shopify Store and I’m the admin. But I would like to get a permanant access token, not for 24 hours.

5

Thanks for the context! Since you own the store and just need backend API access (no embedded app UI), client credentials with automated refresh is probably your cleanest option.

The 24-hour expiry sounds annoying, but in practice it’s a single POST request - you can refresh on-demand before each API call if the token is expired, or run a daily cron job. Most backend integrations handle this with a simple wrapper that checks expiry and refreshes as needed.

Our app templates do have OAuth built in and can give you non-expiring tokens, but they’re really designed for building embedded apps with a frontend. For a pure backend integration, you’d be pulling in a lot of overhead you don’t need.

If you absolutely do need a non-expiring offline access token, you can scaffold an app using one of the available templates and then pull the token from the session storage (SQLite via Prisma in the React Router template) once the app has been installed on your store. It is awkward, and is a workaround, while Client Credentials Grant is designed for your exact use case.

6

I tried this POST to https://{shop}.myshopify.com/admin/oauth/access_token but it gives me an error: Oauth error app_not_installed = I’m calling an OAuth-related endpoint / flow, but there is no app installed on that store for that OAuth client. and when I try to install it I don’t see any access token. I don’t know how to reach it.

7

Let me walk through the full setup from scratch:

  1. Go to dev.shopify.com/dashboard and open your app (or create a new one via Create appStart from Dev Dashboard)

  2. Go to the Versions tab, set the App URL to https://shopify.dev/apps/default-app-home (you don’t need an embedded UI for API-only access), select your Webhooks API version, add your access scopes (e.g., read_orders), and click Release

  3. Back on the Home tab, click Install app, select your store, and click Install - you should see a grant screen to approve permissions

  4. Go to Settings and copy your Client ID and Secret

  5. Request your token - make sure the credentials are in the request body, not headers:

curl -X POST \
  "https://your-store.myshopify.com/admin/oauth/access_token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"

You should get back an access token (expires in 24 hours, just re-run the same request to refresh). Then use it in your API calls:

curl -X POST \
  https://your-store.myshopify.com/admin/api/2025-01/graphql.json \
  -H 'Content-Type: application/json' \
  -H 'X-Shopify-Access-Token: YOUR_ACCESS_TOKEN' \
  -d '{"query": "{ orders(first: 10) { edges { node { id name } } } }"}'

A similar thread had the same error and it turned out the credentials were being sent in headers instead of the body - worth double-checking.

If you’ve followed all of the above and still hitting issues, start a chat with support and they can dig into the specifics of your app and store setup.

8

When I install it I get redirected to this page

image
image715×580 16.1 KB

9

That’s the https://shopify.dev/apps/default-app-home placeholder URL and is expected. Once you see that, continue from step 4:

  • Go to Settings and copy your Client ID and Secret
  • Request your token - make sure the credentials are in the request body, not headers:
curl -X POST \
  "https://your-store.myshopify.com/admin/oauth/access_token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"
  • You should get back an access token (expires in 24 hours, just re-run the same request to refresh). Then use it in your API calls:
curl -X POST \
  https://your-store.myshopify.com/admin/api/2025-01/graphql.json \
  -H 'Content-Type: application/json' \
  -H 'X-Shopify-Access-Token: YOUR_ACCESS_TOKEN' \
  -d '{"query": "{ orders(first: 10) { edges { node { id name } } } }"}'