Who runs accesstokengen.com
Hi — I’m Furkan Ülker. I built and maintain accesstokengen.com so Shopify developers can get an Admin API access token without standing up an OAuth server or trusting an opaque third-party tool with their client secret.
About me
I run Datora, the company that operates this service. I work primarily on Shopify integrations — Admin API automations, OAuth-based apps, and developer tooling — and the long-form references published on this site come out of that work.
Every guide on this site is written from production experience with the same Shopify Admin API the tool wraps: token rotation, scope decisions, OAuth error handling, Custom App vs Public App trade-offs, Storefront vs Admin token boundaries, and the small behavioral details that aren’t obvious from the official docs alone.
What this site is
accesstokengen.com has two parts:
- The tool — /generate runs the Shopify OAuth 2.0 authorization-code flow on your behalf using your own Custom App Client ID and Secret. Bring credentials, pick scopes, approve on Shopify, copy the token.
- The references — long-form guides covering the Shopify Admin API surface (linked from the homepage Resources section). Free, no signup required to read.
The tool requires a free account so the OAuth relay endpoint can be rate-limited. The reference content does not.
Security & what is not stored
Access tokens are shown once and never persisted
After Shopify returns your access token, it is shown to you exactly once. It is never written to our database or logged. If you lose the token, generate a new one — there is no recovery path because there is nothing to recover from.
Client secrets are discarded after the OAuth session
Your Custom App's Client Secret is held only for the duration of the active OAuth session and discarded when the session ends or after 10 minutes, whichever comes first.
You bring your own credentials
I do not create Shopify apps on your behalf. You create the Custom App in your Shopify Dev Dashboard, configure the redirect URL, and supply the Client ID and Secret. You stay in full control of the app and its lifecycle.
HTTPS, HSTS, modern security headers
Strict-Transport-Security with preload, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and a Content-Security-Policy are all set on every response. Source-map symbols are scrubbed from public builds.
Sign-in is by magic link, not password
Account creation is just an email address. We send a one-time magic link valid for 15 minutes. We never store passwords because we never accept passwords.
Operator & contact
accesstokengen.com is operated by Datora. Legal entity details, privacy policy, and terms of service are published on the Datora policies pages:
Ready to try the tool?
Generate a Shopify Admin API access token in under a minute.