shopify api integration guide

Shopify API Integration Guide for 2026

Learn how to integrate the Shopify API step by step. Covers REST vs GraphQL, authentication, webhooks, and real-world ecommerce use cases for US stores.

By Alex Morgan ·

Shopify API Integration Guide for 2026

If you run a US ecommerce store on Shopify and want to automate workflows, sync data with external systems, or build custom apps, you need to understand the Shopify API. This guide walks you through authentication, webhooks, and rate limits. Real code examples are included. You can act on this today.

What Is the Shopify API and Why It Matters in 2026

The Shopify API gives you programmatic access to your store’s data and functionality. Three core components make up the system: the Shopify Admin API (manage products, orders, customers, and inventory), the Shopify Storefront API (build custom buyer-facing experiences), and the Payments API (handle transactions and payouts).

US merchants use API integrations to automate repetitive tasks, connect stores to ERP and warehouse systems, and build custom apps the Shopify App Store doesn’t offer. Over 4.6 million live stores now run on Shopify worldwide. API call volume has grown 38% year over year (Source: Shopify Editions, 2026).

Shopify releases a new API version every quarter — for example, 2026-01, 2026-04. As of 2026, Shopify has committed to a GraphQL-first development path. New features appear in GraphQL before REST. Some never reach REST at all.

REST API vs GraphQL API: Which One Should You Use

Choosing between REST and GraphQL affects integration speed, data transfer volume, and how many API calls you burn through.

FeatureREST APIGraphQL API
Data FetchingFixed response shape; returns all fieldsYou pick exactly which fields you need
Rate LimitsBucket-based: 40 requests, 2/sec restoreCost-based: 2,000 points per second
Nested ResourcesRequires multiple callsSingle query fetches related objects
New Feature SupportLimited; some endpoints deprecatedAll new features ship here first
Learning CurveLower; familiar URL patternsModerate; requires learning query syntax
Best ForSimple CRUD, legacy integrationsComplex queries, modern apps

REST still works fine for simple operations — like updating a single product price — or for legacy integrations already running on REST endpoints. But if you’re starting fresh, GraphQL is Shopify’s recommended approach. You reduce over-fetching and cut total API call count significantly (Source: Shopify Dev Docs, 2026).

For a deeper comparison, check out our Shopify GraphQL vs REST breakdown.

How to Set Up a Shopify Developer Account and App

Start by creating a free Shopify Partner account at partners.shopify.com. This gives you access to the Shopify Partner Dashboard. From there you manage apps, development stores, and client stores.

Next, create a development store. It’s free and sandboxed. You can test API calls without touching real orders or customer data. In the Partner Dashboard, go to Stores > Add store > Development store.

To create your app, navigate to Apps > Create App in the Partner Dashboard. Two types are available:

  • Custom app: Built for a single store. Uses a direct access token. Best for your own store.
  • Public app: Installable on multiple stores via the Shopify App Store. Requires full OAuth 2.0 authentication.

[Screenshot placeholder: Shopify Partner Dashboard showing the “Create App” screen with app name, URL, and redirect fields]

If you’re building for your own US store, start with a custom app. You can convert later. For a full walkthrough, see our Shopify app development tutorial.

Shopify API Authentication: OAuth 2.0 Step by Step

Public Shopify apps authenticate through OAuth 2.0. Here’s how the flow works:

  1. Your app redirects the merchant to https://{store}.myshopify.com/admin/oauth/authorize with your client_id, requested scopes, and a redirect_uri.
  2. The merchant reviews and grants the requested permissions.
  3. Shopify redirects back to your redirect_uri with a temporary code parameter.
  4. Your server exchanges that code for a permanent access token by sending a POST request to /admin/oauth/access_token.

For custom apps, the process is simpler. Go to Settings > Apps and sales channels > Develop apps in the Shopify admin. Generate an Admin API access token directly there. No OAuth redirect flow needed.

Store your access tokens in environment variables or a secrets manager. Never hardcode them. Never expose them in client-side JavaScript.

Here’s a Node.js example of the token exchange step:

const axios = require('axios');

async function exchangeToken(store, code) {
  const response = await axios.post(
    `https://${store}.myshopify.com/admin/oauth/access_token`,
    {
      client_id: process.env.SHOPIFY_API_KEY,
      client_secret: process.env.SHOPIFY_API_SECRET,
      code: code,
    },
    { headers: { 'Content-Type': 'application/json' } }
  );
  return response.data.access_token;
}

[Screenshot placeholder: Annotated code showing the OAuth token exchange with callouts for each parameter]

Making Your First Shopify API Call

Every Shopify Admin API call uses the same base URL pattern:

https://{store}.myshopify.com/admin/api/2026-04/

Two headers are required on every request: X-Shopify-Access-Token (your access token) and Content-Type: application/json.

REST example — Fetch all products:

GET https://your-store.myshopify.com/admin/api/2026-04/products.json

GraphQL example — Fetch only the title and price of the first 10 products:

{
  products(first: 10) {
    edges {
      node {
        title
        variants(first: 1) {
          edges {
            node {
              price
            }
          }
        }
      }
    }
  }
}

The GraphQL query returns only the fields you asked for. The REST call returns every product field by default. That difference adds up at scale.

Before writing production code, test your calls in Postman. Set up a request, paste in your URL and headers, and confirm you get a 200 OK response. You can also use the built-in GraphiQL explorer at https://{store}.myshopify.com/admin/api/2026-04/graphql.json.

[Screenshot placeholder: Postman request showing correct headers and a 200 OK response with JSON product data]

Here are the most common response codes you’ll encounter:

  • 200: Success.
  • 201: Resource created.
  • 422: Your request body has validation errors. Check your JSON.
  • 429: You’ve hit rate limits. Back off and retry.

Understanding Shopify API Rate Limits and How to Handle Them

Rate limits protect Shopify’s infrastructure. Ignore them and your integration will break under load.

REST rate limits use a leaky bucket model. Each app gets 40 requests per store. The bucket refills at 2 requests per second. Check the X-Shopify-Shop-Api-Call-Limit header — for example, 32/40 — to see where you stand.

GraphQL rate limits use a cost-based system. Each query costs a calculated number of points based on the data requested. You get 2,000 cost points per second. The response includes a throttleStatus object showing your remaining budget (Source: Shopify Dev Docs, 2026).

When you hit a 429 Too Many Requests error, use exponential backoff:

async function apiCallWithRetry(fn, maxRetries = 5) {
  for (let i = 0; i < maxRetries; i++) {
    try {
      return await fn();
    } catch (err) {
      if (err.response?.status === 429) {
        const delay = Math.pow(2, i) * 1000;
        await new Promise(res => setTimeout(res, delay));
      } else {
        throw err;
      }
    }
  }
  throw new Error('Max retries exceeded');
}

For large data exports — pulling your full product catalog or entire order history — use the Bulk Operations API instead. It queues a query that runs asynchronously and returns a JSONL file when done. Normal rate limits don’t apply. Learn more in our Shopify Bulk Operations API guide.

Setting Up Shopify Webhooks for Real-Time Data

Polling the API constantly for changes wastes calls. Shopify Webhooks push event data to your endpoint the moment something happens.

Common webhook topics include:

  • orders/create — Fires when a new order is placed.
  • products/update — Fires when any product field changes.
  • inventory_levels/update — Fires when stock levels change at any location.

You can register webhooks through the API (POST to /admin/api/2026-04/webhooks.json) or through the Partner Dashboard. For details, see our Shopify webhook setup guide.

Every incoming webhook includes an X-Shopify-Hmac-Sha256 header. Validate this HMAC signature to confirm the payload came from Shopify and wasn’t spoofed. Here’s a Python verification example:

import hmac
import hashlib
import base64

def verify_webhook(data, hmac_header, secret):
    computed = base64.b64encode(
        hmac.new(secret.encode('utf-8'), data, hashlib.sha256).digest()
    ).decode('utf-8')
    return hmac.compare_digest(computed, hmac_header)

Shopify may deliver the same webhook more than once. Design your handler to be idempotent. Track processed webhook IDs and skip duplicates.

Common Shopify API Integration Use Cases for US Ecommerce

Here are the most practical ways US merchants use the Shopify API:

  • Inventory sync with 3PL providers: Push real-time stock levels between Shopify and your third-party warehouse management system so you never oversell.
  • ERP order routing: Automatically send new orders to NetSuite, SAP, or Microsoft Dynamics the moment they’re placed.
  • Custom checkout flows: Use the Storefront API to build headless storefronts with personalized buying experiences. See our Storefront API guide for more.
  • Customer tagging and segmentation: Auto-tag customers based on purchase behavior, location, or lifetime value to power targeted email campaigns.

Real example: Portland-based apparel brand Wildfang integrated the Shopify Admin API with their warehouse system to automate order fulfillment routing. The result was a 70% reduction in manual order processing time and a drop in fulfillment errors from 4.2% to under 1% within six months (Source: Shopify Plus Case Studies, 2025).

Shopify API Security Best Practices

Security mistakes with API credentials can expose customer PII and payment data. Follow these rules without exception.

Always use HTTPS for every API endpoint and webhook receiver. Scope API permissions to the minimum required access — if your app only reads products, don’t request write_orders. Rotate access tokens periodically. Revoke them immediately when a team member leaves.

Store API keys, secrets, and tokens in environment variables or a secrets manager like AWS Secrets Manager or HashiCorp Vault. Never commit credentials to source code or Git repositories. Log all API activity so you have an audit trail if something goes wrong. Where possible, use IP allowlisting to restrict which servers can call your private endpoints.

For a more detailed framework, see our ecommerce API security checklist.

Troubleshooting Common Shopify API Errors

The HTTP status code tells you where to start looking when something breaks.

  • 401 Unauthorized: Your access token is missing, expired, or malformatted. Double-check your X-Shopify-Access-Token header.
  • 403 Forbidden: Your app doesn’t have the required API scopes. Re-authorize with the correct permissions.
  • 404 Not Found: You’re hitting the wrong endpoint URL or referencing a resource ID that doesn’t exist.
  • 429 Too Many Requests: You’ve exceeded rate limits. Implement the retry logic from the rate limits section above.
  • 422 Unprocessable Entity: Your request body has validation errors. Compare your JSON payload against the Shopify API reference docs.

When you’re stuck, use the Shopify Developer Forums, Shopify Community, and the official API changelog. The Shopify CLI also has built-in debugging tools that surface detailed error messages during local development.

Frequently Asked Questions

Is the Shopify API free to use?

Yes, the Shopify API itself is free. You pay for your Shopify plan, but API access is included on every tier. Some advanced features — like the Multipass API or higher rate limits — require a Shopify Plus plan, which starts at $2,300/month (Source: Shopify Pricing, 2026).

What programming languages work best with the Shopify API?

Shopify provides official libraries for Node.js, Python, PHP, and Ruby. In 2026, the Shopify CLI and most community SDKs are JavaScript/TypeScript-first, making Node.js the most straightforward choice for new projects.

What is the difference between a custom app and a public Shopify app?

A custom app works with one store and uses a direct access token. A public app can be installed on many stores through the Shopify App Store and requires OAuth 2.0. If you’re building for your own store, a custom app is simpler and faster to set up.

How do I keep my Shopify API integration up to date?

Shopify releases a new API version every quarter. Pin your integration to a specific version in the URL — for example, 2026-04 — then test and upgrade before that version reaches its end-of-life date, typically two years after release (Source: Shopify API Versioning Docs, 2026).

Can I use the Shopify API without a Shopify Plus plan?

Yes. Most API endpoints are available on all Shopify plans, including Basic. Shopify Plus unlocks extras like the Multipass API, B2B features, and higher rate limits, but standard API integration works on every plan. Check out our best Shopify apps for 2026 to see what’s possible without Plus.

How do I test Shopify API calls safely without affecting a live store?

Create a free development store in the Shopify Partner Dashboard. All API calls there are sandboxed and won’t affect real customers or orders. You can also use Postman or the built-in GraphiQL explorer at your store’s /admin/api/graphql.json endpoint to test queries interactively.

← Back to Blog