← back to blog

Shopify Storefront Tokens: The Headless App

shopifyapistorefront

Need a Storefront API token for working with your shop? The Headless app from Shopify is golden for this.

It installs as a sales channel but you can create a public access token to do things where you might need to leverage some storefront customizations. Apparently it’s been around for a while — news to me.

If you’re working on Shopify storefronts and can’t use the legacy custom apps route, this works.

What the Headless app actually gives you

The Headless channel lives in your Shopify admin under Sales Channels. Once installed, you can create storefronts — each one gets its own public access token for the Storefront API.

This is useful when you need to:

  • Build a custom frontend (React, Next.js, Astro — whatever) that reads product data
  • Create a buy button or embedded product picker on an external site
  • Build a mobile app that fetches products, collections, and cart data
  • Power any headless commerce experience

The public token is safe to expose in client-side code — it only has access to the Storefront API, which is designed for public-facing read operations and cart management.

Quick setup

  1. Go to Shopify Admin → Settings → Apps and Sales Channels
  2. Search for “Headless” in the Shopify App Store
  3. Install it as a sales channel
  4. Create a new storefront
  5. Copy the Storefront API access token

Then you can start querying:

const STOREFRONT_URL = `https://${shop}.myshopify.com/api/2025-01/graphql.json`;

async function getProducts() {
  const response = await fetch(STOREFRONT_URL, {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'X-Shopify-Storefront-Access-Token': storefrontToken,
    },
    body: JSON.stringify({
      query: `{
        products(first: 10) {
          edges {
            node {
              id
              title
              handle
              priceRange {
                minVariantPrice {
                  amount
                  currencyCode
                }
              }
            }
          }
        }
      }`,
    }),
  });

  return response.json();
}

Storefront API vs Admin API

This is where people get confused. Shopify has two main APIs:

Storefront API (what the Headless app gives you):

  • Public access token — safe for client-side
  • Read access to products, collections, pages, blogs
  • Cart creation and management
  • Customer account access (with customer access token)
  • No write access to admin resources

Admin API (what custom apps give you):

  • Private access token — server-side only
  • Full read/write access to orders, products, customers, etc.
  • Webhook subscriptions
  • Bulk operations

If you need to manage the store (create products, process orders, update inventory), you need the Admin API through a custom app. The Headless app is purely for the storefront-facing side.

What I’m still waiting for

Now I’m just hoping Shopify builds something similar for admin access tokens after the removal of the legacy custom apps. The current flow of creating a custom app just to get an admin token for internal tools or integrations feels heavier than it needs to be.

Legacy custom apps made this easy — install, get your token, start building. The new custom app flow involves app URLs, OAuth configuration, and compliance webhooks even when you just want a simple token for an internal integration script.

Shopify, if you’re reading this — a “Headless” equivalent for the Admin API would be a huge DX win. Just give us a way to generate scoped admin tokens without the full app setup ceremony. The use case is real and it’s common.