Shopify Generic App Token With Subdomain

Description

General

Documentation: https://shopify.dev/api/admin-rest
Summary: Shopify is an e-commerce company that offers online retailers a suite of services including payments, marketing, shipping and customer engagement tools to simplify the process of running an online store. A public (or custom) application allows to integrate third-party web services with a Shopify store. This detector focuses on detecting couples composed of a shopify subdomain along with its associated token, and also checks their validity. Another detector is available to catch solely the access token, without the ability to check its validity.
IPs allowlist: This is not mentioned in the documentation.
Scopes: Tokens have different scopes. It is possible to choose which scopes to grant the tokens when creating them.

Revoke the secret

Revocation and rotation of API keys is done with a specific workflow described in this documentation.

Check for suspicious activity

This feature is not mentioned in the documentation.

Details for `Shopify generic app token subdomain`

Family: Api
Category: E-commerce
Company: Shopify
High recall: True
Validity check available: True
On-premise instances exist: False
Only valid secrets raise an alert: False
Minimum number of matches: 2
Occurrences found for one million commits: 1.76
Prefixed: True
PreValidators:

- type: ContentWhitelistPreValidator
  patterns:
    - myshopify

Examples

- text: |
    $shopurl='shirts.myshopify.com';
    $token='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';
  subdomain: shirts
  token: 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