Your safety is important to us. If you notice any suspicious emails that appear to come from Shopify, please forward them to safety@shopify.com. Visit the Help Center page on phishing for more information.

Storefront Access Token

A Storefront access token is used to authorize applications that need to access the unauthenticated/anonymous Storefront API.

Many applications such as channels have a need for delegating anonymous access to the public resources of a Shop using a lower level of privileges. Using the Storefront Access Token API, an application can provision a Storefront access token and then provide this token to the consuming client (eg. JavaScript/mobile application, or Cart Permalinks service).

Note

Storefront access tokens are allocated on a per shop basis, and an application can have a maximum of 100 active Storefront access tokens per shop.

A Storefront access token can inherit any of the following access scopes from the application that generates it:

  • unauthenticated_read_collection_listings: Needed to display collections
  • unauthenticated_read_product_listings: Needed to display products
  • unauthenticated_write_checkouts: Needed to create checkouts
  • unauthenticated_write_customers: Needed for authenticating or creating a customer

What you can do with Storefront Access Token

The Shopify API lets you do the following with the Storefront Access Token resource. More detailed versions of these general actions may be available:

Storefront Access Token properties

id
"id": 1053727709

Unique id that identifies a token and is used to perform operations on it.

access_token
"access_token": "4f12cc6de73079c2c92ef4bef9e3c68a"

The issued public access token.

access_scope
"access_scope": "unauthenticated_read_product_listings"

An application-dependant, comma separated list of permissions associated with the token.

created_at
"created_at": "2016-11-10T15:15:47-05:00"

The date and time when the public access token was created. The API returns this value in ISO 8601 format.

title
"title": "Test"

An arbitrary title for each token determined by the developer/application, used for reference purposes.

Note

No constraint on uniqueness.

Endpoints

POST /admin/storefront_access_tokens.json
Create a new token

Creating a token for a non-extensible app fails

POST /admin/storefront_access_tokens.json
{
  "storefront_access_token": {
    "title": "Test"
  }
}
View Response
HTTP/1.1 403 Forbidden

Creating a new token is successful

POST /admin/storefront_access_tokens.json
{
  "storefront_access_token": {
    "title": "Test"
  }
}
View Response
HTTP/1.1 200 OK
{
  "storefront_access_token": {
    "access_token": "5a2549a02fe0ba49cc8a662371920b1d",
    "access_scope": "unauthenticated_read_product_listings",
    "created_at": "2017-07-17T18:13:58-04:00",
    "id": 1053727608,
    "title": "Test"
  }
}

Creating a token after exceeding the limit fails

POST /admin/storefront_access_tokens.json
{
  "storefront_access_token": {
    "title": "Token"
  }
}
View Response
HTTP/1.1 400 Bad Request
{
  "errors": [
    "Api permission exceeds public access token limit of: 100"
  ]
}
DELETE /admin/storefront_access_tokens/755357713.json
Delete an existing/issued public access token

Delete an existing/issued public access token

DELETE /admin/storefront_access_tokens/#{id}.json
View Response
HTTP/1.1 200 OK
GET /admin/storefront_access_tokens.json
Retrieve a list of public access tokens that have been issued

Retrieve a list of public access tokens that have been issued

GET /admin/storefront_access_tokens.json
View Response
HTTP/1.1 200 OK
{
  "storefront_access_tokens": [
    {
      "access_token": "378d95641257a4ab3feff967ee234f4d",
      "access_scope": "unauthenticated_read_product_listings",
      "created_at": "2017-07-17T18:13:42-04:00",
      "id": 755357713,
      "title": "API Client Extension"
    }
  ]
}