Skip to content

Shopify Storefront Access Token

Service Name: Shopify

Service Description: Shopify is an e-commerce platform that allows businesses to create and manage online stores. Storefront Access Tokens are used to authenticate private applications with the Storefront API, enabling developers to build custom storefronts and shopping experiences.

Service Address: https://shopify.com/

Validation Type: API Auth

IP Allow list: Does not exist at the token level, but IP restrictions can be applied at the Shopify Admin level through login safeguards.

Secret Access Scope: Grants read-only access to product and collection data through the Storefront API. Can also be configured for checkout capabilities depending on the permissions assigned.

Secret Revokement URL: https://admin.shopify.com/settings/apps/development

Secret Example: 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

Suspicious Activity Investigation Instructions:

  • Review Shopify admin logs for unusual API calls or access patterns
  • Check for unexpected changes to product data or collection information
  • Monitor for unusual traffic patterns or request volumes to your Storefront API
  • Verify if there are any unauthorized applications or integrations using the token
  • Check for any checkout activities if the token has checkout permissions

Mitigation Instructions:

  • Log in to your Shopify admin dashboard
  • Navigate to Settings > Apps and sales channels > Develop apps

  • Locate the app associated with the compromised token

  • Click on the app name to access its settings
  • Scroll down to the "Storefront API" section
  • Click "Regenerate" next to the compromised Storefront access token
  • Update the new token in all legitimate applications that need access
  • Consider implementing additional security measures like IP restrictions at the

admin level

  • Review and limit the permissions granted to the token to only what is necessary