Shopify Admin API Tokens

Shopify custom apps let your workflows authenticate to a store with an Admin API access token (shpat_...) — a permanent, store-bound credential that belongs to the app, not to any employee's login. You choose exactly which Admin API scopes the app gets, and the token never expires.

This is the recommended way to use Shopify in production workflows: no OAuth consent to go stale, scopes are explicit and auditable, and access is revoked by uninstalling the app — without touching anyone's account.

Prerequisites

You need store owner or staff permissions that allow managing apps on the store. You'll also need your store's permanent domain (your-store.myshopify.com) — Sim asks for it alongside the token.

Shopify no longer allows creating new custom apps from the store admin — that path is legacy. New custom apps are created from the Dev Dashboard (dev.shopify.com) or the Shopify CLI. If you already have an admin-created custom app, its shpat_ token still works and can be pasted into Sim directly.

Setting Up the Custom App

1. Create the App and Grant Scopes

Open the Dev Dashboard, create a new app (e.g. sim-workflows), and connect it to your store

Configure the app's Admin API access scopes. The set Sim's Shopify tools use is:

write_products
write_orders
write_customers
write_inventory
read_locations
write_merchant_managed_fulfillment_orders

In Shopify, write_X includes read_X, so these six cover product, collection, order, fulfillment, customer, inventory, and location operations. Grant fewer if your workflows only read — e.g. read_products alone is enough for product and collection lookups

Install the app on your store, then obtain the shpat_ token as described in the next section — the flow differs by app type

2. Get the Admin API Access Token

How you obtain the shpat_ token depends on how the app was created:

  • Legacy admin-created custom apps (created from the store admin before Shopify removed that path) show the Admin API access token — it starts with shpat_ — once on the app's API credentials page. Reveal it, copy it immediately, and paste it into Sim. For legacy admin-created custom apps, Shopify shows the token only once, at creation — if you lose it, you have to reinstall or recreate the app to get a new one.
  • New Dev Dashboard apps do not display a permanent shpat_ token in any UI. Complete an OAuth (authorization code grant) install with the app's client ID and secret to obtain an offline shpat_ access token programmatically. The Dev Dashboard's client-credentials tokens are different — they expire after 24 hours and cannot be stored in Sim.

Don't confuse the token types: shpat_ is the Admin API access token Sim needs. shpss_ is the app's client secret and shpca_ is a custom app access token from older Partner-created custom apps — neither will work. If your Dev Dashboard app only shows a client ID and secret, that is expected: Dev Dashboard apps issue tokens via OAuth, not a UI reveal (see the setup steps above).

3. Find Your Store Domain

Use the permanent .myshopify.com domain — for example, your-store.myshopify.com — not your custom storefront domain. You can find it in your Shopify admin URL or under SettingsDomains.

Adding the Service Account to Sim

Open your workspace Settings and go to the Integrations tab

Search for "Shopify Service Account" and click it, then click Add to Sim and choose Add admin API token

Paste the Admin API access token, enter the store domain (e.g. your-store.myshopify.com), and optionally set a display name and description

Click Add admin API token. Sim verifies the token by querying your store's shop endpoint — if it fails, you'll see a specific error explaining what went wrong.

The token and store domain are encrypted before being stored.

Using the Service Account in Workflows

Add a Shopify block to your workflow. In the credential dropdown, your Shopify service account appears alongside any OAuth credentials. Select it and configure the block as you normally would — the store domain stored with the credential is used automatically.

The block calls your store's Admin API (your-store.myshopify.com/admin/api/...) using the token, with exactly the scopes you granted the app.

Common Questions

The custom app token is permanent, store-bound, and carries exactly the scopes you configured — no user consent to expire and no refresh cycle. That's what you want for an automated workflow.
No. Admin API access tokens from custom apps don't expire. They stop working only if the app is uninstalled or deleted. (Tokens from the Dev Dashboard's client-credentials flow are different — those expire in 24 hours and are not what Sim stores.)
No. Shopify reveals the token only once at creation. Reinstall the app (or recreate it) to generate a new token, then update the credential in Sim. Note the old token is invalidated when you do.
No. Custom apps are single-store — the token works for exactly the store it was installed on. If you run multiple stores, create a custom app on each and add each as a separate credential in Sim.
The block fails at run time with an access-denied error naming the operation. Update the app's Admin API scopes and re-authorize/reinstall the app. Note that reinstalling generates new credentials, so update the token stored in Sim afterwards.
Admin-created custom apps can't rotate credentials in place — recovery is uninstall-and-reinstall or delete-and-recreate, both of which invalidate the old token immediately. Do it in a maintenance window and update the Sim credential right after.

On this page