Skip to content

Shopify API Key

Service Name: Shopify

Service Description: Shopify is an e-commerce platform that allows individuals and businesses to create online stores to sell products. It provides tools for managing inventory, processing payments, tracking orders, and analyzing sales data.

Service Address: https://www.shopify.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the app level for private apps through Shopify Admin.

Secret Access Scope: Grants programmatic access to a Shopify store's data and functionality based on the permissions granted to the API key. This can include access to products, orders, customers, inventory, and other store data.

Secret Revokement URL: https://admin.shopify.com/settings/apps

Secret Example: shpat_12a3b4c5d6e7f8g9h0i1j2k3l4m5n6o7

Suspicious Activity Investigation Instructions:

  • Review the Shopify Admin audit logs for unusual API calls or access patterns.
  • Check for unexpected changes to store settings, products, or orders.
  • Monitor for unauthorized app installations or API key creations.
  • Examine the permissions granted to the compromised API key.
  • Review recent order and payment processing activities for suspicious transactions.

Mitigation Instructions:

  • Log in to your Shopify Admin dashboard.
  • Navigate to Settings > Apps and sales channels.
  • Locate the app associated with the compromised API key.
  • Click on the app and select Remove app or Revoke access.
  • For custom apps, navigate to the Custom apps section and delete the app or regenerate the API key.
  • For Partner apps, select Remove app to revoke access.
  • Create a new API key with appropriate permissions if needed.
  • Review and update your store's security settings, including two-factor authentication.
  • Monitor your store for any additional suspicious activity after revoking the key.