SH
Shopify
Provider Setup

Connect Shopify

ConfigTrace connects to Shopify using Admin API credentials and monitors configuration metadata related to store posture, webhook subscriptions, store policies, and app permission scopes — metadata only, never customer data, order contents, or payment details.

On this page
  1. Prerequisites
  2. Step 1 — Prepare Shopify Admin API access
  3. Step 2 — Confirm required read-only access
  4. Step 3 — Connect Shopify in ConfigTrace
  5. Step 4 — Run your first sync
  6. What ConfigTrace monitors
  7. What ConfigTrace never reads
  8. Troubleshooting

Prerequisites

  • A Shopify store you own or administer
  • Permission to create a custom app in Shopify Admin (store-owner or staff with the right scopes)
  • A ConfigTrace workspace (owner or admin role)

Step 1 — Prepare Shopify Admin API access

ConfigTrace recommends creating a dedicated custom app in Shopify Admin so the credentials are scoped to ConfigTrace and easy to rotate or revoke.

  1. 1
    Open the apps & sales channels page
    In Shopify Admin, go to Settings → Apps and sales channels → Develop apps.
  2. 2
    Create a custom app
    Click Create an app. Name it something like ConfigTrace (read-only) so it's easy to find later.
  3. 3
    Configure Admin API scopes
    Open Configuration → Admin API integration → Configure. Select the read-only scopes listed in Step 2 below.
  4. 4
    Install the app and copy the Admin API access token
    Click Install app, then copy the Admin API access token. Store it somewhere safe — Shopify only shows it once.
The Admin API access token is the only secret ConfigTrace needs. You can revoke or rotate it at any time from Settings → Apps and sales channels → Develop apps → ConfigTrace.

Step 2 — Confirm required read-only access

ConfigTrace only requests the minimum read-only Admin API scopes needed to monitor configuration metadata. Recommended scopes:

  • read_shop — shop metadata and operational settings
  • read_webhooks — webhook subscription metadata (URLs, topics, status)
  • read_policies — store policy presence and content-hash metadata
  • read_apps (where available) — installed-app permission-scope names and scope risk summary
Do not grant write_*, read_customers, read_orders, read_inventory, or theme/source scopes. ConfigTrace does not need them and does not read those resources.

Step 3 — Connect Shopify in ConfigTrace

  1. 1
    Open Integrations
    In the ConfigTrace sidebar, click Integrations, then click Connect on the Shopify card.
  2. 2
    Enter your shop domain
    Paste your *.myshopify.com domain (e.g. acme-store.myshopify.com).
  3. 3
    Paste the Admin API access token
    Paste the token from Step 1. ConfigTrace encrypts the token before storage and never displays it again.
  4. 4
    Save integration
    Click Save integration. ConfigTrace performs a read-only validation call to confirm credentials work.

Step 4 — Run your first sync

Click Sync Now. The first sync captures your shop settings, webhook subscriptions, policy metadata, and installed-app scope summary as a baseline snapshot — this becomes the reference point for all future diffs.

After the first sync, ConfigTrace continues syncing on your plan's schedule. You can trigger a manual sync from the integration detail page at any time.

What ConfigTrace monitors

Reads (configuration metadata)
  • Shop metadata and operational settings (timezone, currency, shop status)
  • Webhook subscription metadata: target URL, topic, status, format
  • Store policy presence and content-hash metadata (refund, privacy, terms of service)
  • Installed-app permission scope names and scope risk summary
Never reads
  • Customer records or customer PII
  • Order contents or checkout payloads
  • Payment details
  • Inventory contents
  • Theme files or source code
  • Admin API secret key values
  • Gift card or payment transaction contents

What ConfigTrace never reads

ConfigTrace monitors metadata only: configuration, presence, scope names, and content-hash signatures. It does not read customer data, order contents, payment data, inventory, theme files, or any secret values. ConfigTrace also does not write to Shopify — it never modifies settings, webhooks, policies, or app scopes on your behalf.

For a full breakdown across all providers, see the Data Access & Permissions reference.

Troubleshooting

  • "Invalid token" on save: Confirm you pasted the Admin API access token, not the API key or API secret. Tokens start with shpat_.
  • "Insufficient scopes" during sync: Open the custom app in Shopify Admin, add the missing read-only scope, click Save, then re-install the app and copy the new token into ConfigTrace.
  • Webhook section is empty after sync: The token may be missing read_webhooks. Add it, re-install, and re-sync.
  • To revoke access: In Shopify Admin, go to Settings → Apps and sales channels → Develop apps → ConfigTrace and click Uninstall. ConfigTrace stops reading immediately.

For other issues, see the general Troubleshooting guide.