dlt version
1.18.2
Source name
shopify
Describe the problem
Shopify is introducing a major OAuth change on January 1st, and this will break the current Shopify verified source.
The dlt Shopify documentation currently instructs developers to obtain an Admin API access token via:
Shopify Admin → Apps → Develop apps → Configure Admin API → Reveal Admin API token
This workflow is being removed on Jan 1st.
From that date forward:
-
Custom apps must be created in the Partner Dashboard, not the Shopify Admin.
-
Developers can no longer obtain an Admin API token for a store.
-
Developers only receive a client_id and client_secret.
-
The old OAuth client_credentials flow fails for collaborators with:
Oauth error shop_not_permitted: Client credentials cannot be performed on this shop.
This means collaborators cannot generate access tokens at all, and therefore dlt cannot authenticate.
Shopify now only supports the session-token → token-exchange flow for custom apps, which requires:
This is not compatible with headless DLT pipelines running on cron, servers, or GitHub Actions.
As a result:
- All current dlt Shopify pipelines will fail starting January 1st
- The verified source no longer has a valid authentication mechanism
- The current documentation becomes incorrect
Expected behavior
The dlt Shopify source should continue to authenticate without requiring:
-
a browser session
-
App Bridge
-
a logged-in merchant
-
human interaction
The expectation is that the Shopify source can obtain or refresh an Admin API token programmatically, as it does today.
Steps to reproduce
-
Create a custom app in the Shopify Partner Dashboard (required starting Jan 1st).
-
Install the app on a store where you have collaborator access (the normal case for agencies/developers).
-
Attempt to request an Admin API token using:
POST /admin/oauth/access_token
grant_type=client_credentials
client_id=...
client_secret=...
- Shopify returns
Oauth error shop_not_permitted: Client credentials cannot be performed on this shop.
- This prevents dlt Shopify source from authenticating.
How you are using the source?
I'm considering using this source in my work, but bug is preventing this.
Operating system
Linux
Runtime environment
Virtual Machine
Python version
3.12.3
dlt destination
PostgreSQL
Additional information
-
Shopify confirmed that the change applies to all custom apps starting Jan 1st.
-
The current dlt documentation will become invalid on that date.
-
Without an updated auth method, new users will not be able to run the Shopify source at all.
-
This may require changes to both:
dlt version
1.18.2
Source name
shopify
Describe the problem
Shopify is introducing a major OAuth change on January 1st, and this will break the current Shopify verified source.
The dlt Shopify documentation currently instructs developers to obtain an Admin API access token via:
Shopify Admin → Apps → Develop apps → Configure Admin API → Reveal Admin API tokenThis workflow is being removed on Jan 1st.
From that date forward:
Custom apps must be created in the Partner Dashboard, not the Shopify Admin.
Developers can no longer obtain an Admin API token for a store.
Developers only receive a client_id and client_secret.
The old OAuth
client_credentialsflow fails for collaborators with:This means collaborators cannot generate access tokens at all, and therefore dlt cannot authenticate.
Shopify now only supports the session-token → token-exchange flow for custom apps, which requires:
An embedded app
A browser session
A session token generated by App Bridge
A backend exchange for an Admin API token
This is not compatible with headless DLT pipelines running on cron, servers, or GitHub Actions.
As a result:
Expected behavior
The dlt Shopify source should continue to authenticate without requiring:
a browser session
App Bridge
a logged-in merchant
human interaction
The expectation is that the Shopify source can obtain or refresh an Admin API token programmatically, as it does today.
Steps to reproduce
Create a custom app in the Shopify Partner Dashboard (required starting Jan 1st).
Install the app on a store where you have collaborator access (the normal case for agencies/developers).
Attempt to request an Admin API token using:
How you are using the source?
I'm considering using this source in my work, but bug is preventing this.
Operating system
Linux
Runtime environment
Virtual Machine
Python version
3.12.3
dlt destination
PostgreSQL
Additional information
Shopify confirmed that the change applies to all custom apps starting Jan 1st.
The current dlt documentation will become invalid on that date.
Without an updated auth method, new users will not be able to run the Shopify source at all.
This may require changes to both:
the verified source implementation (ShopifyApi)
and the official documentation.