Shopify Access Token

Detects the Shopify access-token family: Admin API access tokens (shpat_), custom app access tokens (shpca_), legacy private app passwords (shppa_) and app shared secrets (shpss_), each followed by a 32-character hex body. A leaked token grants API access to a Shopify store, including customers, orders and payment-adjacent data.

Type
regex
Engine
universal
Confidence
high
Confidence justification
High confidence: all four prefixes are multiply attested (TruffleHog production detectors for shpat_/shppa_/shpss_, gitleaks rules for all four including shpca_, and Shopify's own changelog confirming the 38-character total length), and Shopify is a GitHub secret-scanning partner with push-protection-enabled token types. The distinctive prefix plus fixed-length hex body makes false positives extremely unlikely.
Jurisdictions
global
Regulations
Criminal Code Act 1995 (Cth)
Frameworks
CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
Data categories
credentials, security
Scope
narrow
Risk rating
9
Platform compatibility
Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

(?<![A-Za-z0-9_])shp(?:at|ca|pa|ss)_[0-9a-fA-F]{32}(?![A-Za-z0-9_])

Corroborative evidence keywords

shopify, myshopify.com, SHOPIFY_ACCESS_TOKEN, admin api, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host, [object Object] (+37 more)

Proximity: 300 characters

Should match

Should not match

Known false positives

References