This guide shows the fastest way to get a long‑lived (offline) Shopify Admin API access token for your store. People often call this a “permanent Shopify API key”, but technically it’s an access token (usually starting with shpat_).

What you’ll get

• A long‑lived Admin API access token (offline token)
• The exact scopes you approved (least privilege)

Prerequisites

• A Shopify Partners account (to create an app)
• A store to install the app on (dev store is perfect)
• Postman (or any HTTP client)
• A webhook.site URL (used as a quick redirect URI to capture the code)

Step-by-step (manual OAuth)

1) Create an app + choose scopes

In your Shopify Partners dashboard, create an app and choose the scopes you need (example: read_products, write_products). Keep scopes minimal.

2) Set the redirect URI (webhook.site)

Open webhook.site and copy your unique URL. Add that URL under your app’s Redirect URLs.

The redirect URI must match exactly between your app settings and the authorize URL you build later.

3) Release and install the app

Release the app so it becomes installable, then install it on your target store. After installing, open the app settings and copy:

• Client ID
• Client secret

4) Build the authorize URL

Use your store domain (the part before .myshopify.com) and build this URL:

https://{shop}.myshopify.com/admin/oauth/authorize?client_id={client_id}&scope={scopes}&redirect_uri={redirect_uri}&state={random_string}

• {shop}: for example your-store
• {scopes}: comma-separated, for example read_products,write_products
• {redirect_uri}: your webhook.site URL (URL-encode if needed)
• state: random value (recommended; real apps must validate it)

5) Approve access and copy the code

Open the authorize URL in your browser and approve the scopes. Shopify redirects to webhook.site. In the request URL (query string), copy the value of code.

6) Exchange code for the access token (Postman)

Create a POST request in Postman:

https://{shop}.myshopify.com/admin/oauth/access_token

Body → x-www-form-urlencoded:

client_id:     {client_id}
client_secret: {client_secret}
code:          {code_from_webhook_site}

Send the request. The response returns access_token and scope. Store the access_token securely.

Test the token

Use your token in REST or GraphQL (replace {api_version} with the version you’re using):

REST

GET https://{shop}.myshopify.com/admin/api/{api_version}/products.json
X-Shopify-Access-Token: {access_token}

GraphQL

POST https://{shop}.myshopify.com/admin/api/{api_version}/graphql.json
Content-Type: application/json
X-Shopify-Access-Token: {access_token}

{"query":"{ shop { name } }"}

Troubleshooting

• redirect_uri mismatch: ensure the redirect URI is identical (and URL-encoded when needed).
• invalid_scope: your scopes must be valid and comma-separated; re-authorize after changing scopes.
• invalid code: the authorization code can only be exchanged once; restart from the authorize URL.
• 401/403 on API calls: token revoked, app uninstalled, or missing scopes.

Security checklist

• Never commit the token or client secret to git.
• Use the minimum scopes possible.
• If you change scopes, re-authorize and generate a new token.
• For production apps: validate the state parameter and use a redirect URI you control (webhook.site is for quick testing).

Related

• Watch the video tutorial
• E-commerce resources