Apideck CLI: Query 200+ SaaS APIs from your terminal. No SDK needed. Read more →
Menu
EcommerceGuides & Tutorials

How to Create a Shopify Public OAuth App

Step-by-step guide to building a Shopify public OAuth app. Learn OAuth setup, API scopes, access tokens, and how to connect multiple Shopify stores for your SaaS product.

Kateryna PoryvayKateryna Poryvay

Kateryna Poryvay

9 min read
How to Create a Shopify Public OAuth App

If you're building a B2B SaaS product that needs to pull data from multiple Shopify stores (orders, products, customers, inventory), you need a public OAuth app. This is the only path Shopify supports for third-party integrations at scale.

Since January 1, 2026, Shopify no longer allows creating legacy custom apps through the Shopify Admin. All new apps must be created via the Shopify Dev Dashboard or Partner Dashboard. Existing custom apps continue to work, but if you're starting fresh or building an integration product, public OAuth is now the standard.

This guide walks through the complete setup process: from registering your app to handling the OAuth flow and getting your first access token.

Custom apps vs. public apps

Before jumping into setup, a quick clarification on terminology that trips up many developers.

Custom apps are built for a single Shopify store. The merchant creates them directly in their admin panel (or, since 2026, via the Dev Dashboard). The store owner generates an access token and hands it to you. Simple, but it doesn't scale if you're building a product that connects to hundreds of stores.

Public apps use OAuth 2.0 and can be installed on any Shopify store. The merchant authorizes your app, Shopify redirects them back to your server with an authorization code, and you exchange that code for an access token. This is what platforms like Apideck use to power ecommerce integrations.

How to Create a Shopify Public OAuth App 1

If your product needs to connect to multiple merchants' stores, public OAuth is the only viable approach.

What you'll need

Before starting, make sure you have:

  1. A Shopify Partner account (free to create at partners.shopify.com)
  2. A development store for testing (you can create one from your Partner Dashboard)
  3. A server or endpoint that can receive OAuth callbacks
  4. Basic familiarity with OAuth 2.0 flows

Step 1: Create your app in the Partner Dashboard

Log in to your Shopify Partner account and navigate to the Apps section.

Click "Create app" and select "Create app manually" (not the Remix template, unless you want a full embedded app scaffold).

Enter your app details:

  • App name: Something descriptive. Avoid using "Shopify" in the name (Shopify will reject it during review).
  • App URL: The URL where your app lives. For a server-side integration, this is typically your callback handler.
  • Allowed redirection URL(s): The exact URL where Shopify will redirect after OAuth authorization. This must match exactly what you send in the OAuth request.

Click "Create app." You'll land on your app's configuration page.

Step 2: Configure API scopes

Your app needs permission to access specific data types. Shopify calls these "access scopes."

In your app settings, navigate to the "Configuration" tab and find the API access scopes section. Select only the scopes your integration actually needs. Common ones include:

  • read_products and write_products for catalog data
  • read_orders for order information
  • read_customers for customer records
  • read_inventory for stock levels

Requesting too many scopes will make merchants suspicious during the authorization flow. Only ask for what you need.

One scope worth noting: read_all_orders. By default, Shopify only gives you access to orders from the last 60 days. If your integration needs historical order data, you must request access to this scope separately in the Partner Dashboard, and Shopify may take up to seven business days to review and approve it.

Step 3: Set up GDPR webhooks

Shopify requires all public apps to handle GDPR compliance webhooks. These fire when a customer requests their data or asks for deletion.

In your app settings, scroll to the "GDPR mandatory webhooks" section and enter endpoints for:

  • Customer data request: Returns data you hold about a specific customer
  • Customer data erasure: Deletes customer data from your systems
  • Shop data erasure: Deletes all data related to a shop that uninstalls your app

These endpoints must be functional before Shopify will approve your app for the App Store. Even if you're building an unlisted app, you still need to implement them.

Step 4: Retrieve your API credentials

After saving your configuration, go to the "API credentials" tab. You'll find:

  • Client ID (also called API key): Used in OAuth requests to identify your app
  • Client secret (also called API secret key): Used server-side to exchange authorization codes for access tokens

Store these securely. The client secret should never be exposed in client-side code or version control.

Step 5: Build the OAuth flow

The OAuth 2.0 authorization code flow works like this:

How to Create a Shopify Public OAuth App 2

1. Redirect the merchant to Shopify's authorization URL

When a merchant wants to connect their store, send them to:

https://{shop}.myshopify.com/admin/oauth/authorize?client_id={api_key}&scope={scopes}&redirect_uri={redirect_uri}&state={nonce}

Replace:

  • {shop} with the merchant's store name (e.g., my-store)
  • {api_key} with your Client ID
  • {scopes} with a comma-separated list of scopes (e.g., read_products,read_orders)
  • {redirect_uri} with your callback URL (must match what you configured in Step 1)
  • {nonce} with a random string you generate and store (for security validation)

2. Merchant authorizes your app

Shopify shows the merchant a consent screen listing the permissions you're requesting. If they approve, Shopify redirects them to your callback URL with a code parameter.

3. Exchange the code for an access token

Your server receives the callback with the authorization code. Make a POST request to exchange it:

POST https://{shop}.myshopify.com/admin/oauth/access_token
Content-Type: application/json

{
  "client_id": "{api_key}",
  "client_secret": "{api_secret}",
  "code": "{authorization_code}"
}

Shopify responds with:

{
  "access_token": "shpat_xxxxxxxxxxxxxxxxxxxxx",
  "scope": "read_products,read_orders"
}

Store this access token securely. You'll use it in the X-Shopify-Access-Token header for all API requests to that merchant's store.

4. Verify the response scopes

The response includes the actual scopes granted. Compare these against what you requested. Merchants can sometimes modify scope requests during authorization (rare, but possible). If critical scopes are missing, your integration won't function correctly.

Step 6: Test with a development store

Before submitting to the App Store, test your OAuth flow end-to-end using a development store.

From your Partner Dashboard, create a new development store. Install your app on it by visiting the authorization URL you constructed in Step 5. Complete the flow and verify you receive a valid access token.

Make a test API call to confirm everything works:

GET https://{shop}.myshopify.com/admin/api/2025-10/shop.json
X-Shopify-Access-Token: {access_token}

If you get back shop details, your OAuth implementation is working.

Step 7: Choose your distribution method

Shopify offers two distribution options for public apps:

Listed (Shopify App Store): Your app appears in the public App Store. Merchants can discover and install it. Requires Shopify's review and approval.

Unlisted: Your app has a public installation URL, but doesn't appear in App Store search results. Still requires review, but merchants can only install via direct link.

For B2B integrations where you're working with specific customers (not general discovery), unlisted distribution usually makes more sense. You control who gets access.

In your app settings, go to "Distribution" and select your preferred method. If choosing App Store listing, you'll need to complete additional listing information (description, screenshots, support URLs) before submitting for review.

Step 8: Submit for review

Shopify reviews all public apps before they can be installed on production stores (development stores work without approval).

The review process can take up to two weeks. Common rejection reasons include:

  • Missing or non-functional GDPR webhook endpoints
  • Requesting unnecessary API scopes
  • App name containing "Shopify"
  • Broken OAuth flow or installation process

Make sure your app works completely before submitting. Shopify's reviewers test the full installation and authorization flow.

Token types and expiration

Shopify supports two token types:

Offline tokens (default): Don't expire. Valid until the merchant uninstalls your app or revokes access. Use these for server-side integrations that need to sync data without user interaction.

Online tokens: Expire and are tied to a specific user session. Useful for apps that need to respect individual staff permissions within a store.

For most B2B integration use cases, offline tokens are what you want. They're the default when you don't specify grant_options[] in your authorization URL.

The 2026 deprecation and what it means for you

The January 2026 change affects how apps are created, not how they authenticate. If you already have a custom app with a working access token, it continues to function. But you cannot create new legacy custom apps from the Shopify Admin anymore.

For new integrations built after January 2026:

  • Single-store integrations: Create apps via the Dev Dashboard, then install on the target store. The OAuth flow generates tokens.
  • Multi-store integrations: Build a public app as described in this guide.

Both approaches now use OAuth. The distinction is distribution: custom apps (via Dev Dashboard) install on one specific store; public apps can be installed on any store.

Apideck's Shopify connector supports both authentication models, handling the OAuth flow and token management so you don't have to build it from scratch.

Common mistakes to avoid

Hardcoding the shop URL: The shop parameter should come from the merchant, not be hardcoded. Different merchants have different store URLs.

Exposing your client secret: This belongs on your server only. Never put it in JavaScript, mobile apps, or anywhere client-side.

Forgetting HMAC validation: Shopify signs requests with an HMAC. Validate this on every callback to prevent malicious requests.

Ignoring rate limits: Shopify has API rate limits (currently 2 requests/second for REST, varies for GraphQL). Build retry logic into your integration.

Skipping the state parameter: The nonce/state parameter protects against CSRF attacks. Generate a unique value, store it in the session, and verify it matches when the callback arrives.

Scaling to multiple ecommerce platforms

Shopify is just one platform. If your customers also sell on WooCommerce, BigCommerce, Square, or other platforms, you'll need separate integrations for each.

Building and maintaining direct integrations with multiple ecommerce APIs is a significant engineering investment. Each platform has different authentication methods, data models, rate limits, and API quirks. For a deeper look at what's involved, see our overview of top ecommerce APIs and the differences between them.

A unified API approach can simplify this. Instead of building separate connectors for Shopify, WooCommerce, BigCommerce, and others, you integrate once against a normalized API layer that handles the platform-specific differences behind the scenes.

Whatever approach you choose, the OAuth fundamentals covered in this guide apply across most modern SaaS platforms. Understanding this flow will serve you well beyond Shopify.

Start your 30-day free trial and connect to 200+ platforms via a single API.

Ready to get started?

Scale your integration strategy and deliver the integrations your customers need in record time.

Get started for freeTalk to an expert
Ready to get started?
Talk to an expert

Trusted by fast-moving product & engineering teams

JobNimbus
Blue Zinc
Exact
Drata
Octa
Apideck Blog

Insights, guides, and updates from Apideck

Discover company news, API insights, and expert blog posts. Explore practical integration guides and tech articles to make the most of Apideck's platform.

How We Built an MCP Server with 229 Tools (Without Writing a Single Tool Definition)
AIUnified API+2 more

How We Built an MCP Server with 229 Tools (Without Writing a Single Tool Definition)

How Apideck auto-generated a 229-tool MCP server from an OpenAPI spec using Speakeasy, deployed on Vercel with dynamic tool discovery at 1,300 tokens. A walkthrough of the stack, the hosting tradeoffs, and the hard-won lessons from shipping serverless analytics.

GJ

GJ

20 min read
How to Get Your Stripe API Key
AccountingGuides & Tutorials

How to Get Your Stripe API Key

Learn how to find and create your Stripe API keys step by step. Understand test vs live keys, security best practices, and how to integrate Stripe data into your application.

Kateryna Poryvay

Kateryna Poryvay

4 min read
How to Create a Stripe App
AccountingGuides & Tutorials

How to Create a Stripe App

Create a Stripe App step by step to generate OAuth credentials, connect Stripe to your integration, and sync financial data securely. Learn how to set up your app, retrieve Client ID and Secret, configure redirect URIs, and integrate Stripe with Apideck’s unified Accounting API.

Kateryna Poryvay

Kateryna Poryvay

5 min read