A Comprehensive Guide to Developing an Access Token Using OAuth for Shopify
In this blog post, we will walk through the step-by-step process of developing an access token for Shopify using OAuth. This guide will serve as a practical reference for developers looking to integrate their applications with Shopify’s Admin API securely.
Step 1: Understand OAuth and Access Tokens
OAuth is an open standard protocol used for secure authorization. Shopify uses OAuth to grant third-party applications limited access to a store’s data. The end result of a successful OAuth flow is an access token, which is used to make API calls on behalf of the store.
Step 2: Build the Authorization URL
The first step in the OAuth process is to redirect the merchant to Shopify’s authorization URL. Here is an example of a Shopify authorization URL:
https://developer.myshopify.com/admin/oauth/authorize?client_id=0829db2c65b3ec8bdff269d52865d44e&scope=read_products,write_products&redirect_uri=https://indicating-than-thanksgiving-procedure.trycloudflare.com/auth/callback&state=HCJ9vsFtle83sMUC
Parameters Explained:
client_id: The API key of your Shopify app.scope: The permissions your app is requesting (e.g.,read_products,write_products).redirect_uri: The URL Shopify redirects to after the merchant grants permission.state: A random string to prevent Cross-Site Request Forgery (CSRF) attacks.
Example:
Here’s the example link:
https://developer.myshopify.com/admin/oauth/authorize?client_id=your-client-id&scope=read_products,write_products&redirect_uri=https://indicating-than-thanksgiving-procedure.trycloudflare.com/auth/callback&state=HCJ9vsFtle83sMUC
When this link is accessed, Shopify will prompt the merchant to approve your app.
Step 3: Handle the Callback
Once the merchant approves your app, Shopify redirects to the redirect_uri with the following parameters:
https://indicating-than-thanksgiving-procedure.trycloudflare.com/auth/callback?code=a3ed6c058c5f853f8ea7bcb19a1989b5&hmac=b87e20124c496c9584f6ef2d4b5cb227dd3e31e4e72c87b590eb3275002a254f&host=YWRtaW4uc2hvcGlmeS5jb20vc3RvcmUvZGV2ZWxvcGVyLXRlY2hv&shop=developer.myshopify.com&state=HCJ9vsFtle83sMUC×tamp=1736850395
Parameters Explained:
code: The authorization code used to exchange for an access token.hmac: A hash used to verify the authenticity of the request.shop: The merchant’s store domain.state: The same random string sent in the initial request to prevent CSRF attacks.
Verify the HMAC:
To ensure the authenticity of the callback request, verify the hmac parameter. Use the following steps:
const crypto = require('crypto');
function verifyHmac(query, clientSecret) {
const { hmac, ...params } = query;
const message = Object.keys(params)
.sort()
.map((key) => `${key}=${params[key]}`)
.join('&');
const generatedHash = crypto
.createHmac('sha256', clientSecret)
.update(message)
.digest('hex');
return generatedHash === hmac;
}
Step 4: Exchange the Code for an Access Token
Once the hmac is verified, use the code parameter to request an access token from Shopify.
Example curl Command:
curl -X POST "https://developer-techo.myshopify.com/admin/oauth/access_token" \
-d "client_id=your-client-id" \
-d "client_secret=your-client-secret" \
-d "code=a3ed6c058c5f853f8ea7bcb19a1989b5"
Expected Response:
{
"access_token": "shpua_39b5482d2fc31645858ef6beb555527a",
"scope": "write_products"
}
Step 5: Store and Use the Access Token
The access token (shpua_39b5482d2fc31645858ef6beb555527a) allows your app to make authenticated API calls on behalf of the store.
Example API Call:
curl -X GET "https://developer.myshopify.com/admin/api/2023-01/products.json" \
-H "X-Shopify-Access-Token: shpua_39b5482d2fc31645858ef6beb555527a"
Response:
{
"products": [
{
"id": 123456789,
"title": "Product 1",
"status": "active"
},
{
"id": 987654321,
"title": "Product 2",
"status": "draft"
}
]
}
Conclusion
Developing an access token using OAuth for Shopify might seem complex at first, but following these structured steps will help you implement it efficiently. With the access token, your app can securely interact with Shopify’s Admin API to access and manage store data.
By following this guide, you should now have a working access token and the ability to make authenticated API calls. If you encounter any issues, refer to the Shopify OAuth documentation.