Connect your Shopify store
Give Claude real hands on your Shopify store - products, inventory, locations, and the full Admin API - through one custom app and one permanent token. About 15 minutes, one time, per store.
How the connection works
Shopify doesn't let third parties plug straight into a store - access always goes through an app you control. So the process is: create a private app in Shopify's Dev Dashboard, install it on your store, and mint a permanent access token from it. That token is stored encrypted in your Claude CMS connector, which relays your instructions to Shopify. Nothing is installed on your website, and the token never appears in a page or file.
One app per store
A custom-distribution Shopify app is permanently locked to a single store (or one Shopify Plus organisation). Each store you connect gets its own app and token.
One permanent token
The token (starts shpca_) doesn't expire. It's stored encrypted and only ever relayed to Shopify at request time - never written into your site.
You choose the reach
The scopes you tick decide exactly what Claude can touch - products and inventory only, or the full store. Customer data can be left out entirely.
Prefer the one-click route?
If you have a Claude CMS account, you can skip this whole guide - log in to your account, open the Connections tab, enter your store in the Shopify section and press Install on the Shopify approval screen. The store is linked to your account automatically. Done. The steps below are the full do-it-yourself route.
What you'll need
Admin access to the Shopify store (staff or collaborator with app permissions), a free account at dev.shopify.com, and your store's internal domain - the xxxx.myshopify.com one, shown under Settings → Domains in the store admin.
Create an app in the Shopify Dev Dashboard
Shopify has retired the old in-admin "custom apps" screen - app creation now lives in the Dev Dashboard at dev.shopify.com. Sign in (create the free dev account and organisation if this is your first time - if you're a collaborator on the store rather than a member of its organisation, this dev org will be your own, and that's fine).
On the Apps screen, ignore the big npm init CLI prompt - that's for building hosted apps. Instead use the "Get API credentials - Create app" banner at the bottom. Name the app (e.g. ClaudeCMS) and create it.
You'll land on the app's first version screen. The Client ID and Client secret it generates are the app's identity - you'll use both in step 5.
Set the scopes and release a version
Scopes are the permissions the app - and therefore Claude - will have. On the version screen, find the Access → Scopes field and paste a comma-separated list. This working set covers store management without touching customer records:
read_products,write_products,read_product_listings,read_inventory,write_inventory,read_fulfillments,write_fulfillments,read_assigned_fulfillment_orders,write_assigned_fulfillment_orders,read_merchant_managed_fulfillment_orders,write_merchant_managed_fulfillment_orders,read_third_party_fulfillment_orders,write_third_party_fulfillment_orders,read_discounts,write_discounts,read_price_rules,write_price_rules,read_marketing_events,write_marketing_events,read_content,write_content,read_themes,write_themes,read_script_tags,write_script_tags,read_shipping,write_shipping,read_analytics,read_reports,write_reports,read_gift_cards,write_gift_cards,read_locations,read_locales,write_locales,read_translations,write_translations,read_files,write_files,read_metaobjects,write_metaobjects,read_metaobject_definitions,write_metaobject_definitions,read_publications,write_publications,read_markets,write_markets,read_channels,read_resource_feedbacks,write_resource_feedbacks
Still on the version screen: tick Use legacy install flow, and add a Redirect URL. Any URL works - nothing is hosted there, it just has to exactly match the one you use in step 5. We use https://example.com by convention for the manual flow.
Then click Release. Scopes aren't live until a version is released - and any time you change scopes later, you release a new version and re-approve the install on the store.
A note on customer data
The list above deliberately leaves out read_customers and read_orders. Even so, Shopify's install screen will flag some customer data access - fulfilment scopes inherently expose shipping names and addresses. Full customer-list access needs Shopify's separate "protected customer data" approval, which most integrations are better off without.
Lock the app to your store
Open the app's Distribution settings and choose Custom distribution. Enter your store's xxxx.myshopify.com domain and generate the install link. Two things to know before you confirm:
It's permanent
Custom distribution can't be undone, and the app is then installable only on the store (or Plus organisation) you name. That's exactly what you want for a private integration - just name the right store.
Leave multi-store off
Unless you specifically want the app installable across a whole Shopify Plus organisation, leave "Allow multi-store install" unticked so it's locked to the one store.
Install the app on your store
Copy the generated install link and open it in a browser where you're logged in to the store's admin. Shopify shows the permission summary from your scopes - review it, then click Install. The app now appears in the store's Apps list, and its credentials are live against that store.
Mint the permanent access token
This is the one technical step, and it's two browser visits and one command. It uses the classic OAuth authorization-code flow - the quick "client credentials" shortcut only works when the app and store are in the same organisation, which usually isn't the case for agency or collaborator setups.
Visit this URL (swap in your store domain, your Client ID, and the same scope list from step 2). Because the app is already installed, it approves instantly and redirects to example.com:
https://YOUR-STORE.myshopify.com/admin/oauth/authorize?client_id=YOUR_CLIENT_ID&scope=YOUR_SCOPE_LIST&redirect_uri=https://example.com&state=setup
The browser lands on an example.com URL containing ?code=xxxxxxxx. Copy that code value from the address bar - it's single-use and short-lived, so go straight to the next step.
Run this from any terminal (or ask Claude to run it), swapping in your values. The response contains "access_token": "shpca_..." - that's the permanent token:
curl -X POST "https://YOUR-STORE.myshopify.com/admin/oauth/access_token" -H "Content-Type: application/json" -d '{"client_id":"YOUR_CLIENT_ID","client_secret":"YOUR_CLIENT_SECRET","code":"THE_CODE_FROM_5B"}'
Treat the token like a password
It carries everything the scopes allow, and it doesn't expire. Don't commit it, don't paste it into pages, don't email it in plain text. If it ever leaks, uninstall and reinstall the app (or rotate the client secret) and mint a fresh one.
Add the connection to your Claude connector
Last step: register the store in your MCP admin so it shows up as tools in Claude. Add a new site connection with these values:
| Field | Value |
|---|---|
| Name | Anything readable, e.g. MyBrand Shopify - this becomes the tool prefix in Claude |
| API URL | https://claudecms.com/claude/shopify.php?shop=YOUR-STORE.myshopify.com |
| API key | The shpca_ token from step 5 |
The token is encrypted at rest and paired with that one store - a connection can never reach a different store's data. Refresh the connector in Claude and the new tools appear, prefixed with the connection name.
Open a new Claude chat with the connector enabled and prompt:
Get my Shopify store profile and tell me the store name, currency and how many products it has.
If Claude comes back with your store details, the whole chain - Claude, connector, adapter, Shopify - is live. From here Claude can list and edit products, manage inventory and locations, and run any Admin API operation your scopes allow via GraphQL or REST.
Shopify connection FAQ
Can I connect more than one store?
Yes. The connector side is multi-store already - each store is its own connection with its own ?shop= URL and token. On the Shopify side, repeat steps 1-5 per store, because a custom-distribution app is locked to one store (stores inside the same Shopify Plus organisation can share one app with multi-store install enabled).
Why not the simple "client credentials" token?
Shopify only allows that shortcut when the app and the store belong to the same organisation. If you're a collaborator, freelancer or agency, they don't - so the authorization-code flow in step 5 is the supported route. The upside: it yields a permanent token instead of one that expires every 24 hours.
Does Claude get access to customer data?
Not with the scope list above - customer and order records are excluded. Fulfilment scopes do expose shipping names and addresses on fulfilment orders, which is unavoidable if you want Claude to help with fulfilment. Trim the scope list further if you want a pure catalogue/content connection.
What happens if I change scopes later?
Edit the scopes on a new app version, release it, then re-open the store's Apps screen to approve the new permissions. Mint a fresh token afterwards (step 5) so it carries the new scopes, and update the connection's API key.
How do I revoke access?
Uninstall the app from the store's Apps screen - every token it ever issued dies instantly. That's your kill switch, and it's always in the store owner's hands.
I got "shop_not_permitted" when trying for a token
That's the client-credentials shortcut being refused because the app and store are in different organisations - it's expected. Use the authorization-code flow in step 5 instead.
Put Claude to work on your store
Fifteen minutes of setup, then products, inventory and content by conversation. Stuck on any step? We'll walk you through it.