Shopify Generic App Token

Description

General

• Documentation: https://shopify.dev/api/admin-rest
• Summary: Shopify is an e-commerce company that offers online retailers a suite of services including payments, marketing, shipping and customer engagement tools to simplify the process of running an online store. A public (or custom) application allows to integrate third-party web services with a Shopify store. This detector can catch leaked access tokens for generic apps, but cannot check their validity. Another detector can detect both the token and its associated Shopify subdomain, and verify their validity.
• IPs allowlist: This is not mentioned in the documentation.
• Scopes: The scope of each key depends on the rights associated with the related app.

Revoke the secret

Revocation and rotation of API keys is done with a specific workflow described in this documentation.

Check for suspicious activity

This feature is not mentioned in the documentation.

Details for Shopify generic app token

• Family: Api

• Category: E-commerce

• Company: Shopify

• High recall: True

• Validity check available: False

• Minimum number of matches: 1

• Occurrences found for one million commits: 3.02

• Prefixed: True

• PreValidators:

- type: ContentWhitelistPreValidator
  patterns:
    - shp(ca|at|tka)_[a-f0-9]{32}

Examples

- text: |
    shopify_app_secret: "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"
  token: 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

# Fat-fingered secret
- text: X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
  token: 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