Website Building » Shopify » How Do I Authenticate My Shopify API?

How Do I Authenticate My Shopify API?

Last updated on October 1, 2022 @ 5:15 pm

The Shopify API is a powerful tool that lets you access data about your shop, customers, and orders. In order to use the API, you first need to authenticate your shop.

There are two ways to authenticate your shop: using your shop’s domain name, or using an API key.

To authenticate using your shop’s domain name, you need to generate a URL that includes your domain name and a secret code. This URL will be used to redirect your customers to the Shopify authentication page.

To generate the URL, you first need to create a new application in your Shopify account. Once you’ve created the application, you’ll be given a “Shopify API key” and a “Shopify API secret”. These two pieces of information are what you need to generate the URL.

The URL is generated by concatenating the “Shopify API key”, the “Shopify API secret”, and your shop’s domain name. The resulting string is then run through a hashing algorithm (HMAC-SHA256) to create a signature. This signature is then appended to the end of the URL as a query parameter.

The full URL looks like this:

https://[your-shop-domain]/admin/oauth/authorize?client_id=[your-shopify-api-key]&scope=read_products&redirect_uri=https://[your-shop-domain]/admin/oauth/callback&state=[random-string]&grant_options[]=per-user&signature=[hmac-sha256-signature]

You can find more information about generating this URL in the Shopify documentation.

Once you have generated the URL, you need to redirect your customers to it so they can authenticate your shop. You can do this by adding a link or button on your website that points to the URL.

When your customers click on the link or button, they will be taken to the Shopify authentication page where they will be asked to enter their shop’s domain name and password. Once they have authenticated your shop, they will be redirected back to your site.

The second way to authenticate your shop is by using an API key. To do this, you first need to generate an API key in your Shopify account.

Once you have generated the API key, you can use it to make authenticated requests to the Shopify API. The advantage of using an API key is that it is more secure than using your shop’s domain name and it doesn’t require your customers to authenticate your shop.

How Do I Authenticate My Shopify API? There are two ways.

You can either use your shop’s domain name, or an API key.

To find out how, keep reading!

If you want instructions on how to use an API key, jump ahead to that section now. We’ll come back here later.

Using Your Domain Name

  1. Generate a URL that includes your domain name and a secret code. This URL will be used later to redirect customers to the Shopify authentication page.

  2. Create a new application in your Shopify account.

  3. Once created, you will be given two pieces of information:

    PRO TIP: “How Do I Authenticate My Shopify API?” is a common question asked byShopify merchants. There are many ways to authenticate your Shopify API, but we recommend using OAuth 2.0. OAuth 2.0 is the most secure way to authenticate your Shopify API, and it’s the only method that we support.
  • Your Shopify API Key:
    a string of characters (like abc123def456ghi789jkl012mn345opq6)
    used as identification for an application (like this one). It’s generated when you create an application.

    (You’ll need this later!)
    (Keep this safe.)
    (Don’t share it with anyone.)

  • Your Shopify API Secret:
    a string of characters (like abc123def456ghi789jkl012mn345opq6)
    used as identification for an application (like this one).

    It’s generated when you create an application.

    (You’ll need this later!)
    (Keep this safe.)
    (Don’t share it with anyone.)

  1. Concatenate (or put together) those pieces of information in this order: the “ShopifyAPIKey”, followed by the “ShopifyAPISecret”, followed by your shop’s domain name.

    [your-shopifys-api-key][your-shopifys-api-secret][your shops domain name]

(For example, if those pieces of information were “abc123”, “def456”, and “exampleShop”, then what you would concatenate would look like this: “abc123def456exampleShop” . )

  1. Hashing Algorithm (HMACSHA256): Use a hashing algorithm like HMACSHA256 on that string.

    [hmacsha256(concatenatedstring)]

(For example: if that concatenated string were “abc123def456exampleShop”, then what would get hashed would look like this: “[hmacsha256('abc123def456exampleShop')]” .) Now take that hashed string and..

  1. Append it as a query parameter at the end of this base URL: (don’t forget the question mark at the end)

(For example: if that hashed string were “098f6bcd4621d373cade4e832627b4f6”, then what would get appended at the end of the base url would look like this: “[baseurl]?signature=098f6bcd4621d373cade4e832627b4f6]” .) Now check that.

  • (1) everything before “[?signature=]” matches EXACTLY with what’s in Step #4 (
Drew Clemente

Drew Clemente

Devops & Sysadmin engineer. I basically build infrastructure online.