Shopify Access Token
Detects the Shopify access-token family: Admin API access tokens (shpat_), custom app access tokens (shpca_), legacy private app passwords (shppa_) and app shared secrets (shpss_), each followed by a 32-character hex body. A leaked token grants API access to a Shopify store, including customers, orders and payment-adjacent data.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: all four prefixes are multiply attested (TruffleHog production detectors for shpat_/shppa_/shpss_, gitleaks rules for all four including shpca_, and Shopify's own changelog confirming the 38-character total length), and Shopify is a GitHub secret-scanning partner with push-protection-enabled token types. The distinctive prefix plus fixed-length hex body makes false positives extremely unlikely.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9_])shp(?:at|ca|pa|ss)_[0-9a-fA-F]{32}(?![A-Za-z0-9_])
Corroborative evidence keywords
shopify, myshopify.com, SHOPIFY_ACCESS_TOKEN, admin api, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host, [object Object] (+37 more)
Proximity: 300 characters
Should match
shpat_0123456789abcdef0123456789abcdef— Shopify Admin API access token (shpat_ + 32-hex body)SHOPIFY_ACCESS_TOKEN=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— Labelled Shopify custom app access token in an env assignmentshppa_abcdef0123456789abcdef0123456789— Shopify legacy private app password (shppa_)shpss_0123456789ABCDEF0123456789ABCDEF— Shopify app shared secret (shpss_, uppercase hex body)
Should not match
shpxx_0123456789abcdef0123456789abcdef— Invalid prefix variant (shpxx_ is not a Shopify token family)shpat_0123456789abcdef0123456789abcde— Body too short (31 hex chars, not 32)shpat_0123456789abcdefghijklmnopqrstuv— Body contains non-hex characters (g-v), not a valid token bodyrotate the shopify admin api access token— Prose mention without a token valuetemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- Documentation or examples showing placeholder shpat_/shpca_/shppa_/shpss_ strings. Mitigation: Require corroborative Shopify keywords and check for placeholder markers (example, xxxx).
- Pre-2020 Shopify tokens (32 characters total, shorter body) are an older generation not matched by this pattern. Mitigation: Documented as a known scope limitation; only the current 38-character (prefix + 32-hex) generation is matched.
References
- TruffleHog production Shopify detector (shppa_/shpat_ + 32-hex body)
- TruffleHog production Shopify OAuth detector (shpss_ shared secret + 32-hex body)
- gitleaks rules: shopify-access-token, shopify-custom-access-token, shopify-private-app-access-token, shopify-shared-secret
- Shopify changelog confirming 38-character total token length (prefix included) for shpat_/shpca_/shppa_
- Supported secret scanning patterns - GitHub Docs (Shopify partner token types)