Gadget framework
Changelog
Glossary
FAQ

Re-authenticating shops after a Shopify API version upgrade 

When you upgrade your Shopify connection to API version 2026-04 or later, Gadget adds support for Shopify's new expiring offline access tokens. Your existing shop installs are not affected by the upgrade, and no immediate action is required.

This guide explains what changes with 2026-04, how shops transition to the new token format, and what to expect as a developer.

Upgrading to 2026-04 will not break your existing shop installs. Your current non-expiring offline access tokens continue to work after the upgrade. Shopify only enforces expiring tokens for new public apps created on or after April 1, 2026. For existing apps, merchants gradually transition to the new token format as they naturally open your app. No data is lost and no action is required from you or your merchants.

What changes with 2026-04 

Shopify supports and recommends using expiring offline access tokens, and starting April 1, 2026, requires new public apps to use them. Gadget added support for expiring tokens in API version 2026-04. Before 2026-04, Gadget used non-expiring offline access tokens that it stored and used indefinitely. On 2026-04, new token exchanges produce short-lived access tokens (currently 60 minutes) paired with longer-lived refresh tokens. Gadget uses the refresh token to mint new access tokens automatically.

New public apps created on or after that date are required by Shopify to use them, and Gadget handles this automatically from the first install.

When you upgrade to 2026-04, Gadget adds three new fields to your shopifyShop model: refreshToken, accessTokenExpiresAt, and refreshTokenExpiresAt. These fields are empty for existing shops and populate automatically when a merchant opens your app.

What happens during the upgrade 

  1. You change the API version on your Shopify connection in Gadget.
  2. Existing shops continue working with their current non-expiring access tokens. Nothing changes for these shops until a merchant opens the app.
  3. When a merchant opens the embedded app in their Shopify admin, Gadget runs a token exchange with Shopify. Shopify returns a fresh expiring access token and a refresh token. Gadget stores these on the merchant's shopifyShop record.
  4. From that point on, token refresh is automatic. When the access token is within 2 minutes of expiring, Gadget exchanges the refresh token for a new pair on the next API call. This is transparent to your app code.

Gadget automatically refreshes tokens during syncs, reconciliation, and API calls. As long as your app is actively processing webhooks or running nightly syncs for a shop, the tokens stay fresh. The refresh token only expires if the app has no activity at all for that shop for an extended period, in which case the merchant would need to open the app again.

What merchants experience 

Merchants do not see anything special. They open your app the way they normally would, by going to Apps in their Shopify admin and clicking your app's tile, and the token exchange happens transparently in the background. There is no confirmation dialog, no permissions prompt, and no extra step for them to take.

What happens if a merchant does not open the app 

The existing non-expiring access token continues to work. Syncs, webhooks, and API calls all function as before. The shop stays on the old token format until the merchant naturally opens the app, at which point Gadget transitions it to expiring tokens.

There is no deadline or urgency to migrate shops. Shopify recommends expiring tokens for better security, but does not enforce them for apps created before April 1, 2026.

How to find shops still using non-expiring tokens 

After upgrading to 2026-04, you can see which shops have not yet transitioned by querying for installed shops with no refreshToken:

GraphQL
query ShopsOnLegacyTokens {
  shopifyShops(
    filter: {
      state: { matches: { created: "installed" } }
      refreshToken: { isSet: false }
    }
  ) {
    edges {
      node {
        id
        myshopifyDomain
        email
      }
    }
  }
}

These shops are working normally on their existing tokens. Once a merchant opens the embedded app, refreshToken and accessTokenExpiresAt populate and the shop transitions to the new format.

How token refresh works after migration 

Once a shop has transitioned to expiring tokens, Gadget handles all token management automatically:

  • Access tokens expire after approximately 60 minutes.
  • Before each Shopify API call, Gadget checks the token expiry and refreshes if needed.
  • Both the access token and refresh token rotate on each refresh. Gadget persists the new pair to the database immediately.
  • If multiple requests need a refresh at the same time, Gadget deduplicates the refresh calls so only one request goes to Shopify.
  • Your app code does not need to handle any of this. Calls to connections.shopify.current, connections.shopify.forShopId(), and connections.shopify.forShopDomain() all use fresh tokens automatically.

Was this page helpful?