Shopify Expiring Offline Access Tokens: What Every App Developer Needs to Know Before April 1, 2026

If you're building a new Shopify public app, there's a security change you need to know about before April 1, 2026.

Shopify announced that all new public apps created on or after April 1, 2026 must request and use expiring offline access tokens. Miss this, and your app submission to the Shopify App Store will fail.

What's Actually Changing

Until now, offline access tokens in Shopify were non-expiring — once issued, they worked indefinitely. Starting April 1, tokens issued to new public apps will have a limited lifespan, requiring your app to implement a token refresh flow. This aligns Shopify with modern OAuth 2.0 practices used by platforms like Google and Stripe.

Who This Affects

Affected: Public apps created on or after April 1, 2026 that call the Admin API.

Not affected: Public apps created before April 1, 2026 (existing apps keep working), custom apps at any time, and apps created by merchants in the Dev Dashboard or Shopify admin.

Why Shopify Is Making This Change

The security case is straightforward: if an offline access token is ever leaked — from a breach, an exposed .env file, or a compromised CI/CD pipeline — a non-expiring token gives an attacker permanent access to a merchant's store. Expiring tokens limit that window significantly.

What You Need to Do

If you use Shopify's official app templates (Remix, Next.js): Good news — expiring offline tokens are already handled by @shopify/shopify-app-remix and @shopify/shopify-app-express. Just make sure you're on a recent version.

If you have a custom auth implementation: You'll need to: store the token AND its expiry timestamp from the OAuth response, check expiry before each API call, and initiate a refresh using your refresh token when expired.

async function getValidToken(shop) {
  const stored = await db.getToken(shop);
  
  // Refresh if expiring within 1 hour
  if (stored.expiresAt - Date.now() < 3600 * 1000) {
    const refreshed = await refreshShopifyToken(stored.refreshToken);
    await db.saveToken(shop, refreshed);
    return refreshed.accessToken;
  }
  
  return stored.accessToken;
}

Key detail: Build a middleware layer that proactively refreshes tokens before they expire (e.g., when < 1 hour remaining) rather than reacting to 401 errors. Proactive refresh prevents failed API calls from reaching your users.

Timeline

• March 20, 2026 — Shopify announced the change
• April 1, 2026 — Enforcement begins for all new public apps
• Existing apps — Not affected (no forced migration announced yet)

Bottom Line

If you're starting a new Shopify app build after April 1, factor token refresh into your auth architecture from day one. If you're using Shopify's official libraries, you're already covered. For existing apps, this is a good prompt to review your token handling — Shopify hasn't announced a forced migration deadline yet, but it's likely coming.

FAQ

Does this affect custom apps? No. Custom apps installed on a single store are not affected.

Will my existing app stop working after April 1? No. Apps created before April 1, 2026 continue to work with their existing non-expiring tokens.

How long do expiring tokens last? Shopify hasn't published a fixed expiry — implement your refresh logic based on the expires_in field returned in the OAuth response.