Shopify Storefront Access Token vs Admin Access Token
Shopify has two completely separate APIs and two different tokens. Most token confusion comes from mixing them up. Here’s which is which, when to use each, and what happens if you pick wrong.
By Datora Team · Updated
TL;DR
| Storefront access token | Admin access token | |
|---|---|---|
| For | Customer-facing storefront queries | Server-side store administration |
| Endpoint | /api/<ver>/graphql.json | /admin/api/<ver>/... |
| Header | X-Shopify-Storefront-Access-Token | X-Shopify-Access-Token |
| Safe in browser? | Yes (public token) | Never |
| Scope system | unauthenticated_* scopes (limited set) | Full admin scopes (read_/write_*) |
| Format (typical) | 32-char hex string | shpat_ + hex string |
Storefront API & its access token
The Storefront API is Shopify’s customer-facing GraphQL API. Anything a customer might do on the storefront — browsing products, building a cart, applying a discount, starting checkout, logging into their account — is exposed there.
The Storefront access token is what authorizes those calls. There are two flavors:
- Public Storefront access token — safe to ship in client-side code. Issued to a sales channel app. Limited to
unauthenticated_*scopes. Rate-limited per IP. Same security model as a publishable Stripe key: it identifies your storefront but can’t damage the store. - Private Storefront access token — used server-side, kept secret. Slightly higher rate limits and access to a small set of
unauthenticated_*scopes that aren’t available to public tokens.
Use cases: headless storefronts (Hydrogen, Next.js, Astro, etc.), custom checkout pages, embeddable buy buttons, storefront search/recommendation widgets, native mobile apps for the store.
Admin API & its access token
The Admin API is the back-office API. It covers everything a merchant or operator does in the Shopify admin: managing products, fulfilling orders, adjusting inventory, issuing refunds, configuring shipping, reading reports.
The Admin access token — the one this site helps you generate — is issued through the OAuth 2.0 flow against a Custom or Public app. It looks like shpat_ followed by a hex string, and it must stay secret. Anyone with the token can do whatever the token’s scopes allow, including reading customer PII, editing prices, and exporting orders.
Use cases: order export to ERP / accounting systems, inventory sync, marketing automations, customer migration tools, fulfillment integrations, internal admin dashboards, anything that needs to change data on the store.
For the full list of scopes available, see the Admin API scopes reference.
Which one do you need?
Walk down this list and stop at the first match:
Building a headless storefront / custom buy button / mobile app for shoppers? → Storefront access token (public).
Building a back-office tool that syncs orders, inventory, or customers? → Admin access token.
Need both a customer surface and a back-end pipeline? → Issue both tokens. They’re separate — Storefront for browser, Admin for server.
Doing one-off scripts (export products, bulk-update prices) for a store you own? → Admin access token. Generate one in 60 seconds with the OAuth flow.
Common mistakes
/api/... vs /admin/api/...) and the header (X-Shopify-Storefront-Access-Token vs X-Shopify-Access-Token) match.Need an Admin API token?
Generate one in 60 seconds via OAuth. Bring your own Custom App credentials, pick scopes from the reference, copy your token. Storefront tokens are issued separately through your sales channel app configuration in Shopify.
Frequently asked questions
What's the difference between a Shopify Storefront access token and an Admin access token?+
The Storefront access token is for customer-facing queries (products, collections, cart, checkout) and is safe to ship to a browser. The Admin access token is for server-side administration of the store (orders, inventory, customers, fulfillments) and must stay secret. They're issued separately, target different APIs, and have completely different scope systems.
Can I use a Shopify Admin access token in the browser?+
Never. Admin tokens grant full administrative access to the store within their scope set. Shipping one to the browser exposes it to anyone who opens DevTools, and a leaked Admin token can read every order, edit every product, and exfiltrate customer data. Use a Storefront access token for browser-side queries; keep Admin tokens server-side only.
Is a Shopify Storefront access token safe to expose publicly?+
The public Storefront access token (the kind issued to a sales channel app) is designed to be exposed in client-side code — it can only call the Storefront API, only against the resources allowed by its unauthenticated_* scopes, and is rate-limited. It's the same model as a publishable Stripe key. There's also a private Storefront access token for server-side calls; that one stays secret.
Which Shopify API do I need for a headless storefront?+
The Storefront API. It's purpose-built for headless and custom storefronts: products, collections, cart, checkout, customer accounts. Use a public Storefront access token for browser-side queries. The Admin API is for back-office operations and shouldn't be called from a customer-facing surface.
Can the same Shopify app have both tokens?+
Yes. Many apps need both — a server backend that calls the Admin API and a frontend that calls the Storefront API. The two tokens are issued independently, with their own scope sets, and you store and use them separately. They're not interchangeable.