Resources/The Agent API Atlas/E-commerce/Shopify

Everything an AI agent can do with the Shopify API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints22

API version2026-04

Last updated23 June 2026

Orientation

How the Shopify Admin API works.

The Shopify API is how an app or AI agent works with a Shopify store through its Admin API: listing and updating products, reading and editing orders, managing customers, and adjusting inventory across locations. Access is granted through an access token obtained when a merchant installs the app, and the token carries OAuth scopes, paired as read and write per area, that set which parts of the store a call can read or change. Shopify ships a new dated version of the API each quarter and supports each for at least a year, and a change in the store can emit an event to a registered endpoint.

22Endpoints

8Capability groups

9Read

13Write

12Permissions

Authentication

An app authenticates to a store with an access token sent in the X-Shopify-Access-Token header. A public app obtains the token through the OAuth 2.0 authorization-code flow when a merchant installs it; a custom app built for one store is issued a token directly in the Shopify admin. The token reaches only the store it was granted for and only the scopes the merchant approved.

Permissions

Access is governed by OAuth scopes, paired per area as read_ and write_, like read_products and write_products, read_orders and write_orders, read_customers and write_customers, read_inventory and write_inventory. A 403 means the token lacks the scope an operation needs. Some areas are gated further: read_all_orders and any protected customer data both need Shopify approval beyond the merchant's consent.

Versioning

Shopify ships a new dated Admin API version every quarter, like 2026-04, and the version is part of the request path. Each version is supported for at least 12 months with at least nine months of overlap, so an app pins a version and upgrades on its own schedule before the one in use is retired. The latest stable version as of mid-2026 is 2026-04.

Data model

The Admin API is GraphQL-first: an app sends queries to read and mutations to write, asking for exactly the fields it needs in one round trip, to a single store endpoint. A mutation returns a userErrors field for business-level failures even on an HTTP 200. The older REST Admin API still works but is legacy and no longer gaining features. A state change can emit a webhook to a registered endpoint.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Shopify determines what it can reach. There is a route for making calls, a route for receiving events, and hosted servers that expose Shopify to AI agents, and each is governed by the access token behind it and the scopes that token carries.

Ways to connect

GraphQL Admin API

The primary Admin API is GraphQL. An app sends every read and write as a query or a mutation to a single store endpoint and asks for exactly the fields it needs back. A request authenticates with an access token in the X-Shopify-Access-Token header, and the version is part of the request path. The REST Admin API still exists but is legacy and no longer receiving new features.

Best forConnecting an app or AI agent to a Shopify store.

Governed byThe access token and the OAuth scopes it carries.

Docs ↗

Webhooks

Shopify POSTs a payload to an HTTPS endpoint when a subscribed topic fires, like an order being created. The receiver verifies the X-Shopify-Hmac-Sha256 header against the app's client secret to confirm the request came from Shopify. Subscriptions are created in the app config or through the webhookSubscriptionCreate mutation.

Best forReceiving store events at an app or AI agent without polling.

Governed byThe HMAC signature and the scopes that gate each topic.

Docs ↗

Storefront MCP server (first-party)

Shopify's hosted Storefront MCP server lets an AI agent handle shopping tasks for a store: searching the catalog, managing carts, and reading store policies, so a shopping assistant can help a customer through to checkout. Shopify also ships first-party Customer Account and Checkout MCP servers for their domains. These are storefront and shopper facing, not the Admin API.

Best forConnecting an AI shopping assistant to a store's catalog and cart.

Governed byThe store and shopper context the server is connected to.

Docs ↗

Dev MCP / AI Toolkit (first-party)

Shopify's Dev MCP server, part of the open-sourced Shopify AI Toolkit, runs locally and exposes Shopify's documentation and GraphQL schema to an AI coding tool, so an agent can look up and validate API calls. It is a developer aid for building against the API, not a runtime path to store data, and runs without authentication.

Best forHelping an AI coding tool build correct Admin API calls.

Governed byLocal execution; it reads docs and schema, not store data.

Docs ↗

Authentication

OAuth 2.0 (public app)

A public app installed by a merchant uses the OAuth 2.0 authorization-code flow to request scopes and receive an access token for that store. The token is sent in the X-Shopify-Access-Token header on every Admin API call and reaches only the scopes the merchant approved.

TokenOAuth access token per store (shpat_...)

Best forApps installed across many merchant stores.

Docs ↗

Custom app access token

A custom app built for a single store is given an Admin API access token directly in the Shopify admin, with scopes selected at setup. It calls the Admin API the same way, with the token in the X-Shopify-Access-Token header, and skips the OAuth flow.

TokenAdmin API access token (shpat_...)

Best forA single store building its own integration.

Docs ↗

Session token (embedded apps)

An embedded app running inside the Shopify admin uses short-lived session tokens to identify the merchant, then exchanges them for an access token through token exchange. This avoids long-lived tokens in the browser.

TokenShort-lived JWT session token

Best forApps embedded in the Shopify admin UI.

Docs ↗

Capability map

What an AI agent can do in Shopify.

The Admin API is split into areas an agent can act on, like products, orders, customers, inventory, fulfillment, and draft orders. Each area has its own operations and its own access scope, and a write in some areas changes a live storefront or a real order.

Products & variants

5 endpoints

Operations for reading and writing products, their variants, and product media.

A write here changes the live product catalog a storefront shows.

View endpoints →

Orders

4 endpoints

Operations for reading and updating orders placed in a store.

A write here changes a real customer order.

View endpoints →

Customers

3 endpoints

Operations for reading and writing customer records.

A write here changes a real customer record and may touch protected customer data.

View endpoints →

Inventory

2 endpoints

Operations for reading and adjusting stock levels across locations.

A write here changes the stock count a store sells against.

View endpoints →

Fulfillment

2 endpoints

Operations for reading fulfillment orders and creating fulfillments.

A write here marks goods as shipped and can notify the customer.

View endpoints →

Draft orders

3 endpoints

Operations for building draft orders and turning them into real orders.

Completing a draft order creates a real order that can take payment.

View endpoints →

Collections

2 endpoints

Operations for grouping products into collections.

A write here changes how products are grouped on a storefront.

View endpoints →

Metafields

1 endpoint

Operations for reading and setting custom metafield data on records.

A write here changes custom data attached to store records.

View endpoints →

Endpoint reference

Every Shopify Admin API operation.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Products & variants Operations for reading and writing products, their variants, and product media.5
POST	`query products`	List products in the store, filtered and paginated through a connection.	read	`read_products`	Current
Read-only. The products connection is part of the QueryRoot. Acts onProduct Permission (capability)`read_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`query product`	Fetch a single product by id, including its variants and media.	read	`read_products`	Current
Read-only. Acts onProduct Permission (capability)`read_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`mutation productCreate`	Create a product with attributes such as title, description, vendor, and media.	write	`write_products`	Current
A product is created in an unpublished state, then made available with a separate publish step. Acts onProduct Permission (capability)`write_products` VersionAvailable since the API’s base version Webhook event`products-create` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`mutation productUpdate`	Update an existing product's attributes.	write	`write_products`	Current
A core catalog write that a storefront reflects. Acts onProduct Permission (capability)`write_products` VersionAvailable since the API’s base version Webhook event`products-update` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`mutation productVariantsBulkCreate`	Create multiple variants for a single product in one operation, such as sizes or colors.	write	`write_products`	Current
Adds variants in bulk to an existing product. Acts onProductVariant Permission (capability)`write_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Orders Operations for reading and updating orders placed in a store.4
POST	`query orders`	List orders in the store, filtered and paginated through a connection.	read	`read_orders`	Current
read_orders returns orders from the last 60 days; read_all_orders, which needs Shopify approval, removes that window. Acts onOrder Permission (capability)`read_orders` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`query order`	Fetch a single order by id, including line items, transactions, and fulfillments.	read	`read_orders`	Current
Reading customer details on an order also needs protected customer data approval. Acts onOrder Permission (capability)`read_orders` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`mutation orderUpdate`	Update an order's attributes, like its email, shipping address, tags, or metafields.	write	`write_orders`	Current
A write to a real order. Acts onOrder Permission (capability)`write_orders` VersionAvailable since the API’s base version Webhook event`orders-updated` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`mutation orderCreate`	Create an order directly, for orders that originate outside the standard checkout.	write	`write_orders`	Current
Creates a real order in the store. Acts onOrder Permission (capability)`write_orders` VersionAvailable since the API’s base version Webhook event`orders-create` Rate limitStandard limits apply SourceOfficial documentation ↗
Customers Operations for reading and writing customer records.3
POST	`query customers`	List customers in the store, filtered and paginated through a connection.	read	`read_customers`	Current
Customer fields like name, email, and address are protected customer data and need Shopify approval. Acts onCustomer Permission (capability)`read_customers` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`mutation customerCreate`	Create a customer record from name, email, and address details.	write	`write_customers`	Current
Writes a real customer record; the input is protected customer data. Acts onCustomer Permission (capability)`write_customers` VersionAvailable since the API’s base version Webhook event`customers-create` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`mutation customerUpdate`	Update an existing customer's details.	write	`write_customers`	Current
A write to a real customer record. Acts onCustomer Permission (capability)`write_customers` VersionAvailable since the API’s base version Webhook event`customers-update` Rate limitStandard limits apply SourceOfficial documentation ↗
Inventory Operations for reading and adjusting stock levels across locations.2
POST	`query inventoryItem`	Read an inventory item and its levels across locations.	read	`read_inventory`	Current
Read-only. Acts onInventoryItem Permission (capability)`read_inventory` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`mutation inventoryAdjustQuantities`	Apply incremental changes to inventory quantities at specific locations, with a reason code.	write	`write_inventory`	Current
Changes the stock count a store sells against. Acts onInventoryLevel Permission (capability)`write_inventory` VersionAvailable since the API’s base version Webhook event`inventory_levels-update` Rate limitStandard limits apply SourceOfficial documentation ↗
Fulfillment Operations for reading fulfillment orders and creating fulfillments.2
POST	`query order.fulfillmentOrders`	Read the fulfillment orders for an order, the units of work assigned to a location.	read	`read_fulfillments`	Current
Read scope depends on who manages the fulfillment; assigned, merchant-managed, or third-party each have their own scope. Acts onFulfillmentOrder Permission (capability)`read_fulfillments` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`mutation fulfillmentCreateV2`	Create a fulfillment for one or more fulfillment orders assigned to the same location.	write	`write_fulfillments`	Current
Marks goods as shipped and can send the customer a shipment notification. Acts onFulfillment Permission (capability)`write_fulfillments` VersionAvailable since the API’s base version Webhook event`fulfillments-create` Rate limitStandard limits apply SourceOfficial documentation ↗
Draft orders Operations for building draft orders and turning them into real orders.3
POST	`query draftOrders`	List draft orders in the store, paginated through a connection.	read	`read_draft_orders`	Current
Read-only. Acts onDraftOrder Permission (capability)`read_draft_orders` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`mutation draftOrderCreate`	Create a draft order combining custom line items with existing products.	write	`write_draft_orders`	Current
A draft is not yet a real order until it is completed. Acts onDraftOrder Permission (capability)`write_draft_orders` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`mutation draftOrderComplete`	Complete a draft order, turning it into a real order.	write	`write_draft_orders`	Current
Creates a real order that can take payment. Acts onDraftOrder Permission (capability)`write_draft_orders` VersionAvailable since the API’s base version Webhook event`orders-create` Rate limitStandard limits apply SourceOfficial documentation ↗
Collections Operations for grouping products into collections.2
POST	`query collections`	List collections in the store, paginated through a connection.	read	`read_products`	Current
Collections are covered by the products scope. Acts onCollection Permission (capability)`read_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`mutation collectionCreate`	Create a collection that groups products together on the storefront and other sales channels.	write	`write_products`	Current
Collections are covered by the products scope. Acts onCollection Permission (capability)`write_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Metafields Operations for reading and setting custom metafield data on records.1
POST	`mutation metafieldsSet`	Set custom metafield values on a record, creating or overwriting them.	write	`write_products`	Current
Sets up to 25 metafields at a time. The scope needed matches the record the metafield is on, like write_products for a product. Acts onMetafield Permission (capability)`write_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Shopify can notify an app when something happens in a store, like an order being placed or a product changing. It sends a topic and a payload describing what changed, so an integration learns about activity without polling.

Event	What it signals	Triggered by
`orders/create`	An order was placed in the store. The primary signal to start fulfillment and downstream processing.	`mutation orderCreate` `mutation draftOrderComplete`
`orders/updated`	An order changed, like its shipping address, tags, or status.	`mutation orderUpdate`
`products/create`	A new product was created in the catalog.	`mutation productCreate`
`products/update`	A product changed, like its title, price, or variants.	`mutation productUpdate`
`customers/create`	A new customer record was created.	`mutation customerCreate`
`customers/update`	A customer record changed.	`mutation customerUpdate`
`inventory_levels/update`	An inventory level changed at a location, used to keep external stock systems in sync.	`mutation inventoryAdjustQuantities`
`fulfillments/create`	A fulfillment was created for an order, marking goods as shipped.	`mutation fulfillmentCreateV2`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Shopify limits how much an app can call by a calculated cost per request rather than a fixed number of requests, with a points budget that refills at a set rate per second and a separate ceiling on the cost of any single query.

Request rate

The GraphQL Admin API meters by a calculated query cost, not a request count, using a leaky bucket. Each operation costs points by the data it touches: a scalar or enum costs 0, an object costs 1, a connection is sized by its first or last argument, and a mutation costs 10. The bucket refills at a fixed rate per second that depends on the store's plan, 100 points per second on Standard, 200 on Advanced, 1,000 on Shopify Plus, and 2,000 on the enterprise tier, and starts at a capacity of 40 times that rate. No single query may cost more than 1,000 points, checked before it runs. Each response reports requestedQueryCost, actualQueryCost, currentlyAvailable, and restoreRate under the extensions key, and going over returns a THROTTLED error.

Pagination

GraphQL connections are cursor-based. A query asks for a page with the first or last argument, up to 250 items, and reads the cursor and a hasNextPage flag from pageInfo to fetch the following page. Page size feeds directly into the query cost, so a larger page costs more points.

Request size

A single GraphQL query may not exceed a calculated cost of 1,000 points. A connection returns at most 250 items per page. The metafieldsSet mutation accepts up to 25 metafields per call, within a 10MB request payload.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
200	`userErrors`	A mutation ran but the action was rejected for a business reason, like an invalid field or a missing record. The GraphQL response is HTTP 200, and the detail is in the mutation's userErrors field, not the HTTP status.	Always request the userErrors field on a mutation, then read its field and message to see what was rejected and why, and fix the input.
200	`THROTTLED`	The request cost more points than the app's bucket currently held. GraphQL returns HTTP 200 with a THROTTLED entry in the top-level errors array and the throttle state under extensions.	Read the cost and restore rate from the extensions cost data, wait for the bucket to refill, and retry. Lower the cost by requesting fewer fields or smaller pages.
200	`MAX_COST_EXCEEDED`	A single query's calculated cost exceeds the 1,000-point per-query ceiling, which is checked before the query runs regardless of plan.	Split the query into smaller queries, request fewer nested connections, or reduce the page size on connections.
401	`ACCESS_DENIED / Unauthorized`	The request carried no valid access token, or the token was revoked.	Confirm a valid X-Shopify-Access-Token is sent, and re-run the install or token exchange if the token was revoked.
402	`Payment Required`	The store is frozen, usually for an unpaid Shopify bill, so the API is unavailable until the store is reactivated.	The merchant must resolve the billing issue with Shopify; the integration cannot bypass it.
403	`Forbidden`	The token is valid but lacks the scope this operation needs, or the store has been flagged.	Request the missing scope and have the merchant re-approve, or confirm the store's status.
404	`Not Found`	The endpoint, store, or API version in the request path does not exist or is not reachable.	Check the store domain and that the API version in the path is a supported, dated version.
423	`Locked`	The store is temporarily unavailable, for example due to repeated rate limiting or a fraud flag.	Back off and retry later, and reduce request volume.
500	`Internal Server Error`	An error on Shopify's side, which can also appear as other 5xx codes.	Retry with backoff, and contact Shopify if it persists.

Versioning & freshness

Version history.

Shopify ships a new dated version of the Admin API every quarter, and each version is supported for at least a year, so an integration pins a version and moves up on its own schedule.

Version history

What changed, and when

Latest version2026-04

2026-04Current version

Current stable version

Shopify releases a new dated Admin API version each quarter and supports each for at least 12 months, with at least nine months of overlap between consecutive versions. The version is part of the request path, so an app pins a version and upgrades on its own schedule. 2026-04 is the latest stable version as of mid-2026.

What changed

Quarterly dated release on the GraphQL-first Admin API.
Released April 1, 2026; supported through at least April 2027.
GraphQL is the primary API; REST Admin remains legacy and gains no new features.

2026-01

January 2026 release

The first quarterly release of 2026, dated 2026-01.

What changed

Released January 1, 2026; supported through at least January 2027.
Shopify Flow adopted version 2026-01 of the GraphQL Admin API.

2025-10

October 2025 release

The October 2025 quarterly release, dated 2025-10.

What changed

Released October 1, 2025; supported through at least October 2026.

2025-07

July 2025 release

The July 2025 quarterly release, dated 2025-07.

What changed

Released July 1, 2025; supported through at least July 16, 2026.

Pin a dated version and move up before the one in use is retired.

Shopify developer changelog ↗

Questions

Shopify Admin API, answered.

Is the Shopify Admin API REST or GraphQL?+

Both exist, but GraphQL is the primary API and where new features ship. An app sends queries to read and mutations to write, asking for exactly the fields it needs in one request. The REST Admin API still works for existing integrations but is legacy and no longer receiving new features, so new builds should use GraphQL.

How do Shopify's GraphQL rate limits work?+

Shopify meters by a calculated query cost rather than a request count, using a leaky bucket. Each operation costs points by the data it touches, a mutation costs 10, an object costs 1, and a connection is sized by its page argument. The bucket refills at a fixed rate per second set by the store's plan, from 100 points per second on Standard up to 1,000 on Shopify Plus. Going over returns a THROTTLED error, and the response reports the cost and remaining budget under the extensions key.

Why did a mutation return HTTP 200 but not do anything?+

GraphQL returns HTTP 200 even when an action is rejected for a business reason. The detail is in the mutation's userErrors field, not the HTTP status. Always request userErrors on a mutation and check it, because a missing record or an invalid field shows up there rather than as a 4xx response.

What permissions does an app need?+

Access is set by OAuth scopes, paired as read_ and write_ per area, like read_products and write_products or read_orders and write_orders. A merchant approves the scopes at install, and a 403 means the token lacks the scope an operation needs. Reading customer personal details needs protected customer data approval, and reading orders older than 60 days needs the read_all_orders scope, both granted by Shopify beyond the merchant's consent.

How does API versioning work, and how often must I upgrade?+

Shopify releases a new dated version every quarter, like 2026-04, and the version is part of the request path. Each version is supported for at least 12 months with at least nine months of overlap between consecutive versions, so an app pins a version and moves up on its own schedule before the one in use is retired.

How do I verify a webhook really came from Shopify?+

Each webhook carries an X-Shopify-Hmac-Sha256 header, a base64 HMAC-SHA256 signature over the raw request body computed with the app's client secret. The receiver recomputes the signature on the raw body and compares it, rejecting a mismatch. Apps in the App Store must also handle the mandatory compliance webhooks customers/data_request, customers/redact, and shop/redact.

Does Shopify have an official MCP server for AI agents?+

Yes, Shopify ships first-party MCP servers. The Storefront MCP server lets an AI shopping assistant search a store's catalog, manage carts, and read policies, and there are Customer Account and Checkout MCP servers for those domains. Separately, the Dev MCP server, part of the open-sourced Shopify AI Toolkit, runs locally and gives an AI coding tool access to Shopify's documentation and GraphQL schema for building correct API calls.

What is Bollard AI?

Control what every AI agent can do in Shopify.

Bollard AI sits between a team's AI agents and Shopify. Grant each agent exactly the access it needs, read or write, resource by resource, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Shopify access token.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Shopify access in Bollard Browse all APIs →

Shopify

Store Ops Agent

View orders ResourceOffReadFull use

Edit products ResourceOffReadFull use

Adjust inventory ActionOffReadFull use

Customers ResourceOffReadFull use

Per-agent access, set in Bollard AI, not in Shopify

How the Shopify Admin API works.

Connection & authentication methods.

GraphQL Admin API

Webhooks

Storefront MCP server (first-party)

Dev MCP / AI Toolkit (first-party)

OAuth 2.0 (public app)

Custom app access token

Session token (embedded apps)

What an AI agent can do in Shopify.

Products & variants

Orders

Customers

Inventory

Fulfillment

Draft orders

Collections

Metafields

Every Shopify Admin API operation.

Products & variants

Orders

Customers

Inventory

Fulfillment

Draft orders

Collections

Metafields

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Shopify Admin API, answered.

More e-commerce API guides for agents

BigCommerce

Gumroad

EasyPost

Lemon Squeezy

WooCommerce

Magento

Control what every AI agent can do in Shopify.