Private apps

A private Shopify app can interact with the Shopify API on behalf of a single store. To authenticate with Shopify using a private app, you need to generate the credentials from the Shopify admin and provide these credentials in your request to Shopify.

Generate credentials from the Shopify admin

Before you can authenticate a private app to Shopify, you need to generate the required credentials from the Shopify admin of the store that you want to connect with your app. If you don't have a Shopify store, then you can log in to your Partner dashboard and click Development stores to create a test store.

After you've provisioned a test store, log in and then generate the required credentials from the test store admin:

  1. From your Shopify admin, go to Apps.

  2. Click Manage private apps, near the bottom of the page.

  3. Click Create a new private app.

  4. In the App details section, enter a name for the private app and a contact email address. Shopify uses the email address to contact the developer if there is an issue with the private app, such as when an API change might break it.

  5. In the Admin API section, select the areas of your store that you want the app to be able to access.

  6. If you want to use the Storefront API, then select Allow this app to access your storefront data using the Storefront API.

  7. In the Storefront API permissions section, select which types of data you want to expose to the app.

    Four permissions are selected by default:

    • Read products, variants, and collections
    • Read and modify customer data
    • Read and modify checkouts
    • Read content like articles, blogs, and comments
  8. Click Save.

You'll see your API key and password in the Admin API section. You can use these credentials to make authenticated requests to the Shopify store that uses your application.

If you allowed the app to access your storefront data, then you'll see a storefront access token in the Storefront API section.

Change permissions for a storefront access token

After you've created a storefront access token, you can change its permissions to limit what areas of a store can be accessed by the app.

Steps:

  1. From your Shopify admin, go to Apps.

  2. Click Manage private apps.

  3. Click the name of the app whose permissions you want to change.

  4. In the Storefront API section, under Storefront API permissions, select which areas of the store you want the app to access.

    Four permissions are selected by default:

    • Read products, variants, and collections
    • Read and modify customer data
    • Read and modify checkouts
    • Read content like articles, blogs, and comments
  5. Click Save.

  6. In the You've made changes to your app dialog, click Save.

Make authenticated requests

A private app can make authenticated requests to the Shopify Admin REST API using basic authentication or by including its Shopify access token in the request header.

Basic authentication

Private apps can authenticate through basic HTTP authentication by using their Admin API key and password as a username and password. You can generate these credentials from the Shopify admin of the store that you want to connect with your app.

Some HTTP clients support basic authentication by prepending username:password@ to the hostname in the URL. For example:

GET https://{username}:{password}@{shop}.myshopify.com/admin/api/2019-07/shop.json

If your HTTP client doesn't support basic authentication using this method, then you can provide the credentials in the Authorization header field instead:

  1. Join the API key and password with a single colon (:).

  2. Encode the resulting string in base64 representation.

  3. Prepend the base64-encoded string with Basic and a space:

    Authorization: Basic NDQ3OGViN2FjMTM4YTEzNjg1MmJhYmQ4NjE5NTZjMTk6M2U1YTZlZGVjNzFlYWIwMzk0MjJjNjQ0NGQwMjY1OWQ=

Shopify access token

Private apps can authenticate with Shopify by including the request header X-Shopify-Access-Token: {access_token}, where {access_token} is replaced by your private app's Admin API password.

Sign up for a Partner account to get started.

Sign up