Skip to main content

Shopify Generic App Token With Subdomain

Description

General

  • Documentation: https://shopify.dev/api/admin-rest
  • Summary: Shopify is an e-commerce company that offers online retailers a suite of services including payments, marketing, shipping and customer engagement tools to simplify the process of running an online store. A public (or custom) application allows to integrate third-party web services with a Shopify store. This detector focuses on detecting couples composed of a shopify subdomain along with its associated token, and also checks their validity. Another detector is available to catch solely the access token, without the ability to check its validity.
  • IPs allowlist: This is not mentioned in the documentation.
  • Scopes: Tokens have different scopes. It is possible to choose which scopes to grant the tokens when creating them.

Revoke the secret

Revocation and rotation of API keys is done with a specific workflow described in this documentation.

Check for suspicious activity

This feature is not mentioned in the documentation.

Details for Shopify Generic App Token With Subdomain

  • Family: token

  • Category: e_commerce

  • Company: Shopify

  • High recall: True

  • Validity check available: True

  • Analyzer available: True

  • On-premise instances exist: False

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 2

  • Occurrences found for one million commits: 4.67

  • Prefixed: True

  • PreValidators:

- type: ContentWhitelistPreValidator
  patterns:
    - myshopify

Examples

- text: |
    $shopurl='shirts.myshopify.com';
    $token='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';
  subdomain: shirts
  token: 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

Secret Analyzer

Analysis Method

  • Provider allows scopes enumeration: True
  • Total network call count: 1
  • Total call count may vary: False

HTTP Calls

Requests are designed to capture metadata and not to function effectively.

  • GET: /admin/oauth/access_scopes.json

Other Calls

Non-HTTP queries or HTTP calls made through a third-party app (e.g., Python package). No other calls for this analyzer.

Last updated on

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status