Shopify Custom App Development: API Token Import and Integration Guide

Shopify custom app is a custom app developed only for a single store, not published in the Shopify App Store and installed directly by the store manager. This structure, which is preferred in one-to-one integrations with ERP systems, accounting software or logistics platforms, requires a different token acquisition and authorization process than standard public app development.

This guide is intended for both developers who want to develop custom apps for your own store and technical teams who want to connect a SaaS or enterprise system that will integrate with Shopify.

What is Shopify Custom App?

A Shopify custom app is a type of app written from scratch for the specific needs of a particular store, installed only on that store, and doesn't use Shopify's public app infrastructure (App Store, OAuth authorization stream). Provides programmatic access to the Admin API or Storefront API.

It's a very common mistake to confuse the three types of Shopify apps. The following table clarifies which structure, in which scenario you need to use:

Where Custom app is ideal: ERP (SAP, Netsis, Logo) integration, custom logistics/cargo system connectivity, internal automation workflows and data synchronization between trading platforms.

From Private App to Custom App: Shopify's 2023 Change

Shopify completely disabled the private app system in January 2023. Prior to this date, it could provide direct access by generating the store admin, API Key, and API Secret. In the new system, this path is closed.

Critic Note: If you still have an integration that uses legacy private app credentials, Shopify permanently disconnects this link. It is necessary to switch to the custom app.

Why did he make this change? In terms of security, the old private app system carried serious risks in managing API keys: there was no key rotation, loose scope control, and no detection mechanism for credential leaks. The new custom app system, HMAC, closes these gaps with verification, scope limiting and token tracking capabilities.

Technical differences brought about by the change:

• Old: Direct request with API Key + API Secret. New: access_token received with OAuth 2.0
• Old: API Password in X-Shopify-Access-Token header. New: OAuth token in same header
• Old: No token timeout. New: Offline token permanent, Online token 24 hours

Types of Shopify Custom App Tokens

Shopify custom app development has two different API surfaces and two different token types attached to it.

The vast majority of enterprise integrations require an Admin API access token. Storefront API is used for customer-facing development (headless commerce, mobile app) and does not provide access to the Admin API.

Difference between Offline vs Online Token:

For offline token background operations, cronjobs, and server-to-server integrations. The application remains valid as long as it is not removed from the store. For streams that require an online token user session, it expires after 24 hours.

Hint: If you are writing ERP or accounting integration, always use offline tokens. A synchronization process with the online token that runs at midnight will quietly fail when the token expires.

Why is the new custom app system complicated?

At Nodus Works, the most common question we hear from the opposing team when working with both 3rd party SaaS platforms and enterprise ERP teams is: “How do we get the Shopify token?”

Shopify's new custom app system was designed to be secure for good reason, but this design brings with it serious setup complexity. Especially for a backend or integration team working with the Shopify ecosystem for the first time, the process is unclear.

Sources of complexity:

1. Two different ways to get tokens. The Custom app can be installed both directly from the Shopify admin panel and via the OAuth stream via the Partner Dashboard. The two require different token acquisition procedures. If you start without knowing which way to use, you can spend hours dealing with a half-assed setup.

2. Partner Dashboard configuration. If you prefer the OAuth path, you'll need to create apps in the Partner Dashboard, define callback URLs, and specify scopes. An error in any of these steps leads to invalid_client or redirect_uri_mismatch errors.

3. Scope management. The requested scopes must match one on another.env or configuration file as well as in the Partner Dashboard. A small difference invalidates the token.

4. HMAC verification. Shopify expects you to verify the parameters returned in the callback with its self-generated signature. Skipping this step creates a vulnerability; failure to implement it will cause an error in production.

Getting Shopify Admin API Token: Two Methods

Method 1: Direct Token from Store Admin Panel

This method is only valid if you receive tokens for your own store and you have admin access to the store.

Steps:

1. Sign in to Shopify admin → Settings → Applications and sales channels
2. Manage apps Go to page → Develop app Click on the option
3. Create app → enter application name → create
4. API credentials Go to the tab
5. Select the required Admin API scopes (e.g. read_orders, write_products)
6. Install the app → Confirm
7. Admin API access token Record now that is shown once

Warning: Shopify only displays this token once. Once you close the page, you won't be able to access the token again; you'll need to uninstall and reinstall the app to get a new token.

The limitation of this method: it works for a single store. If you are going to connect the same integration to multiple stores, you need to switch to the OAuth stream.

Method 2: Partner Dashboard and OAuth 2.0 Flow

This path is used for SaaS products, agencies, and multi-store integrations. The application created through the Partner Dashboard can be installed in different stores with OAuth flow.

Technical flow:

1. User → Redirected to Partner Dashboard app page

2. The /auth endpoint is called with the store domain

3. The Shopify OAuth authorization page opens

4. User gives consent → Shopify redirects callback to URL with code

5. Verifies the server HMAC

6. token endpoint is called with code + client_id + client_secret

7. access_token returns → stored in database

Implementing this flow from scratch is a process with a high margin of error, especially when it comes to HMAC validation and scope management.

Shopify App Token Generator: Our Open Source Solution

Nodus Works has developed and published it as open source a lightweight tool to solve this problem that we have repeatedly encountered in integration projects:

github.com/nodusworkscom/shopify-app-token-generator

This tool runs the OAuth 2.0 stream on the local environment and generates a persistent Admin API access token. You get a valid token in minutes without having to write a full OAuth implementation.

What does it do?

When you run the tool, a small Express server starts on localhost. You are redirected to Shopify's OAuth authorization page, where the code that returns to the callback URL after approval is automatically captured, HMAC verification is performed, and access_token is displayed in both the terminal and the browser.

Installation:

git clone https://github.com/nodusworkscom/shopify-app-token-generator.git

cd shopify-app-token-generator

npm installieren

cp .env.example .env

‍

Fill in your.env file:

‍

shopify_api_key=your_client_id

shopify_api_secret=your_client_secret

shop=your-store.myshopify.com

scopes = read_products, write_orders, read_customers

‍

npm start

‍

Go to localhost:3000 in the browser → Click “Install app” on the Shopify confirmation screen → The token is displayed in the terminal and on the screen.

‍

Prerequisites:

• Node.js v16 or higher
• Shopify Partner account (free)
• App built in Shopify Partner Dashboard
• Callback URL defined as http://localhost:3000/callback

‍

Important: In the application settings in the Partner Dashboard, the base URL should be defined as http://localhost:3000 and the redirect URL http://localhost:3000/callback. Otherwise, you will get a redirect_uri_mismatch error.

For multiple stores: You can change the SHOP value in the.env file and repeat the process for each store. Each token produced is unique to that store.

Licensed by MIT, this tool can be used as a starting point for getting started on Shopify integration projects and as a practical reference to understand the token generation process.

Custom App Security and Best Practices

Token security is the most critical dimension of integration. An Admin API access token is authorized to manage orders, customers, and products in your store.

Token storage: Store the token as an environment variable, never include it in the source code or version control system. Verify that you have added.env in your.gitignore file. Use Vault, AWS Secrets Manager, or a similar secret management tool in a Production environment.

Minimum scope principle: Do not go beyond the scopes that integration requires. For a system that will only read orders, read_orders is enough. Do not add write_orders or read_customers. Although Shopify allows you to later narrow the scope list, expanding it requires a reinstallation.

HMAC Verification: Do not accept the token without verifying the HMAC signature that Shopify sent in the OAuth callback. Implementations that skip this step become vulnerable to token theft attacks. Our token generator tool does this step automatically.

Webhook security: Verify Shopify webhooks with HMAC as well. Do not process incoming webhook data without checking the X-Shopify-Hmac-Sha256 header.

Common Errors and Solutions

invalid_client error: Client ID or Client Secret entered incorrectly. Compare credentials in the Partner Dashboard with the.env file.

redirect_uri_mismatch error: The callback URL does not match the redirect URL defined in the Partner Dashboard. Even trailing slash difference leads to error: http://localhost:3000/callback vs http://localhost:3000/callback/ are considered different.

invalid_scope error: One of the requested scopes is invalid or misspelled. Shopify's official scope documentation get reference.

Token one-time display: If the token received from the Admin panel is not saved, it is necessary to uninstall the application and reinstall it. The token received via Partner Dashboard OAuth can be renewed again by running the OAuth stream.

HMAC verification failed: Client Secret is incorrect or query string parameters have been changed. The token generator tool automates validation; pay attention to parameter sorting in manual implementation.

‍

For more information about ERP connections and system integrations in Shopify integration projects, check out our Shopify ERP integration guide and Shopify integration article. For accounting system integration, see our Shopify billing and accounting integration content.

FAQS

What is the difference between Shopify custom app and private app? The Private app is an old build that Shopify removed in 2023. Custom app is the new system that replaces the private app and offers a more secure token management. Your existing private app credentials no longer work; switching to a custom app is mandatory.

Is the custom app token valid indefinitely? The offline access token remains valid permanently unless the app is removed from the store. The online token expires after 24 hours. For background integrations, you need to use offline tokens.

Can a Shopify custom app be developed for free? Shopify Partner account is free. There are no additional fees for custom app development, but the store you integrate must have an active Shopify plan. During development, you can use the free development store.

How many stores can I connect to with a custom app? The custom app created from the admin panel is unique to a single store only. To connect to multiple stores, you need to set up a structure that uses OAuth streaming through the Partner Dashboard, in which case a separate access token is generated for each store.

How to choose between Shopify GraphQL Admin API and REST API? Shopify is actively developing the GraphQL Admin API and is gradually phasing out the REST API. We recommend installing your new integrations on GraphQL. GraphQL solves the problem of data over-fetching and offers more flexible querying.

Can I buy tokens without an OAuth stream? Yep. The custom app, created through the Shopify admin panel, generates tokens directly without the need for an OAuth stream. This method only applies to your own store; OAuth is required for installation in other stores.

How do I listen to Shopify webhooks through the custom app? After receiving the Custom app token, you can create a webhook subscription via the Admin API. You define an endpoint and listen for Shopify to send POST to that endpoint. Process each webhook request by validating the X-Shopify-Hmac-Sha256 header.

Can the token generator tool be used in a production environment? The tool is designed to generate tokens once you receive valid tokens, you do not need the tool. It can be used in generated token production API requests. The tool is ideal for learning, rapid token generation and integration testing.

consequence

Shopify custom app development has become unnecessarily complicated, especially with the new token system. Starting without knowing which token type or method to buy can waste hours.

Receiving tokens directly from the admin panel is enough for single store integrations. OAuth 2.0 streaming is inevitable if you are going to support multiple stores or integrate a 3rd party system.

The open source tool we have developed shopify-app-token-generatorreduces the most difficult step of this process to the HMAC authentication OAuth stream to a few minutes.

If you are looking for technical consulting, architectural design, or development support for your Shopify integration project, you can use our Shopify technical support and maintenance service or contact us directly.