Skip to main content

Shopify Generic App Token



  • Documentation:
  • Summary: Shopify is an e-commerce company that offers online retailers a suite of services including payments, marketing, shipping and customer engagement tools to simplify the process of running an online store. A public (or custom) application allows to integrate third-party web services with a Shopify store. This detector can catch leaked access tokens for generic apps, but cannot check their validity. Another detector can detect both the token and its associated Shopify subdomain, and verify their validity.
  • IPs allowlist: This is not mentioned in the documentation.
  • Scopes: The scope of each key depends on the rights associated with the related app.

Revoke the secret

Revocation and rotation of API keys is done with a specific workflow described in this documentation.

Check for suspicious activity

This feature is not mentioned in the documentation.

Details for Shopify generic app token

  • Family: Api

  • Category: E-commerce

  • Company: Shopify

  • High recall: True

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 6.28

  • Prefixed: True

  • PreValidators:

- type: ContentWhitelistPreValidator
- shp(ca|at|tka)_[a-f0-9]{32}


- text: |
shopify_app_secret: "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"
token: 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

# Fat-fingered secret
- text: X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
token: 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

How can I help you ?