Shopify expiring token 2027: mandatory migration for public apps

The deadline technical teams cannot ignore

From January 1, 2027, all public apps using the Shopify Admin API must adopt expiring offline access tokens. Apps that continue using non-expiring tokens will receive authentication errors. This is not a recommendation: it is an infrastructural change with a precise date and immediate operational consequences.

The change is not entirely new. From April 1, 2026, the rule already applies to public apps created after that date. The extension to the existing app catalog — including apps developed before April 2026 — is the new development that makes an urgent roadmap review necessary.

Why non-expiring tokens are a security problem

A traditional access token, once issued, remains valid indefinitely. If it is compromised — through a data breach, an exposed log, or an accidentally public repository — the attacker gains permanent access to the merchant's Admin API.

Expiring offline access tokens work in a fundamentally different way:

• Automatic invalidation within 60 minutes of issuance
• Automatic rotation: a new token is issued with every refresh
• Drastically reduced risk window: even if compromised, the token becomes unusable within a short time

The core issue is not OAuth compliance. It is the concrete difference between a contained, detectable, and scoped breach, and a silent compromise that can persist for years without being detected.

Which apps are affected

It is important to define the scope correctly before taking any action:

• Public apps distributed on the Shopify App Store or via direct installation link: affected
• Apps created after April 1, 2026: already subject to the rule
• Public apps created before April 1, 2026: subject to the January 1, 2027 deadline
• Custom apps (apps built for a single specific merchant): not affected
• Apps created directly by merchants from their Partner dashboard: not affected

If you manage one or more public apps, verifying the current token status is the first operational step.

What technical teams need to do

1. Audit active tokens

The first step is to identify which public apps are still using non-expiring tokens. This requires reviewing your current OAuth configuration and the type of token stored in your database or storage system.

2. Implement the token exchange flow

Migration does not require merchants to reinstall the app. Shopify provides a token exchange flow that allows you to convert an existing non-expiring token into an expiring token via a server-side API call. The operation is completely transparent to the merchant.

The key steps in the flow are:

• Make a call to the token exchange endpoint with the existing offline token
• Receive the new expiring token and its associated refresh token
• Replace the token in storage with no interruption to service

3. Update your storage logic

Expiring tokens require your infrastructure to also manage the refresh token. You will need to update your database schema or secrets management system to store both the current token and the refresh token, along with the corresponding expiry date.

4. Verify use of official libraries

If you are using official Shopify libraries (such as @shopify/shopify-api for Node.js or the equivalent Ruby gem), automatic refresh handling is already built in. In this case the work reduces to running the initial token exchange for existing tokens. The libraries manage the subsequent token lifecycle autonomously.

Timeline and priorities

The January 1, 2027 deadline may seem distant, but the technical time required for auditing, development, testing, and production deployment accumulates quickly. Adding this task to the roadmap in December 2026 means working under pressure with a higher risk of errors.

Teams managing multiple public apps or complex infrastructure should begin planning in the first half of 2026, allowing sufficient time for regression testing and handling edge cases such as already-expired tokens, merchants with very long active sessions, and integrations with third-party systems.

For an assessment of migration resources and costs, visit our Shopify developer plans and pricing page.

Operational summary

The transition to expiring offline access tokens is not a routine task. It requires changes to the OAuth flow, storage updates, verification of the libraries in use, and a rollout strategy that does not impact active merchants. Done correctly, it is also an opportunity to strengthen the overall security posture of your entire integration with the Shopify ecosystem.