Skip to content

Shopify Admin Access Token

Service Name: Shopify

Service Description: Shopify is an e-commerce platform that allows individuals and businesses to create online stores to sell products. It provides tools for inventory management, payment processing, shipping, and customer engagement.

Service Address: https://shopify.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the Shopify Partner or Store level through the Shopify Admin interface.

Secret Access Scope: Grants programmatic access to a Shopify store's resources through the Admin API, allowing operations such as managing products, orders, customers, and other store data.

Secret Revokement URL: https://admin.shopify.com/settings/apps

Secret Example: shpat_c1d2e3f4g5h6i7j8k9l0m1n2o3p4q5r6

Suspicious Activity Investigation Instructions:

  • Review the Shopify Admin audit logs for unusual API calls or resource modifications.
  • Check for unexpected changes to products, orders, or customer data.
  • Monitor for unauthorized app installations or permission changes.
  • Review recent API usage patterns for abnormal request volumes or access patterns.
  • Check for changes to payment settings or shipping configurations.

Mitigation Instructions:

  • Log in to your Shopify Admin dashboard.

  • Navigate to Settings > Apps and sales channels.

  • Find the app or custom app using the compromised token.
  • Click on the app and select "Remove app" or revoke specific access tokens.
  • Generate a new access token if needed for legitimate applications.
  • Review and update app permissions to follow the principle of least privilege.
  • Enable two-factor authentication for all admin accounts.
  • Review all authorized users and remove unnecessary access.