Skip to main content

Shopify Generic App Token



  • Documentation:
  • Summary: Shopify is an e-commerce company that offers online retailers a suite of services including payments, marketing, shipping and customer engagement tools to simplify the process of running an online store. A public (or custom) application allows to integrate third-party web services with a Shopify store. This detector can catch leaked access tokens for generic apps, but cannot check their validity. Another detector can detect both the token and its associated Shopify subdomain, and verify their validity.
  • IPs allowlist: This is not mentioned in the documentation.
  • Scopes: The scope of each key depends on the rights associated with the related app.

Revoke the secret#

Revocation and rotation of API keys is done with a specific workflow described in this documentation.

Check for suspicious activity#

This feature is not mentioned in the documentation.

Details for Shopify generic app token#

  • Family: Api

  • Category: E-commerce

  • Company: Shopify

  • High recall: True

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 6.28

  • Prefixed: True

  • PreValidators:

- type: ContentWhitelistPreValidator  patterns:  - shp(ca|at|tka)_[a-f0-9]{32}


- text: |    shopify_app_secret: "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"  token: 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