--- name: shopify-admin description: Shopify Admin API SOP — product tags, inventory, and other write operations via GraphQL/REST. Works with any Shopify store using a Custom App access token. required_secrets: - SHOPIFY_ACCESS_TOKEN - SHOPIFY_STORE_DOMAIN --- # Shopify Admin API SOP ## Overview Shopify has two distinct APIs — know which one to use: | API | Purpose | Auth | |---|---|---| | **Storefront API / MCP** (`/api/mcp`) | Read product catalog, cart (read-only) | None required | | **Admin API** (GraphQL/REST) | Write products, tags, inventory, etc. | `X-Shopify-Access-Token` | > The Storefront MCP is read-only. For any write operation, use the Admin API directly via the `http` tool. --- ## Credentials Stored as skill secrets (injected at runtime): - `SHOPIFY_STORE_DOMAIN` — e.g. `your-store.myshopify.com` - `SHOPIFY_ACCESS_TOKEN` — `shpat_xxx` token from a Custom App with required scopes --- ## How to Call the Admin API Use the `http` tool with `X-Shopify-Access-Token` header. ### GraphQL (recommended) ``` POST https://{SHOPIFY_STORE_DOMAIN}/admin/api/2024-01/graphql.json Headers: Content-Type: application/json X-Shopify-Access-Token: {SHOPIFY_ACCESS_TOKEN} ``` ### REST ``` GET/PUT https://{SHOPIFY_STORE_DOMAIN}/admin/api/2024-01/products/{id}.json Headers: X-Shopify-Access-Token: {SHOPIFY_ACCESS_TOKEN} ``` --- ## Common Operations ### Add / update product tags (full overwrite — include all existing tags) ```graphql mutation { productUpdate(input: { id: "gid://shopify/Product/{PRODUCT_ID}", tags: ["existing-tag1", "existing-tag2", "new-tag"] }) { product { id title tags } userErrors { field message } } } ``` ⚠️ `tags` is a full replacement. Always fetch current tags first, then merge. ### Read product tags ```graphql { product(id: "gid://shopify/Product/{PRODUCT_ID}") { id title tags } } ``` ### ID formats - Numeric: `15501243941233` - GraphQL GID: `gid://shopify/Product/15501243941233` --- ## Token Scopes For full product management, the token needs: `read_products`, `write_products` For broader operations add: `read_orders`, `read_inventory`, `write_inventory`, `read_themes`, `write_themes` --- ## Getting a Token (Custom App) 1. Shopify Admin → Settings → Apps → Develop apps 2. Create or open a Custom App → Configure → Admin API scopes 3. Install the app → API credentials tab → copy the `shpat_xxx` token (shown once) 4. Store it via: `PUT /skills/shopify-admin/secrets` `{"SHOPIFY_ACCESS_TOKEN": "shpat_xxx", "SHOPIFY_STORE_DOMAIN": "your-store.myshopify.com"}` > If you use a Dev Dashboard app (Partner App), the token is obtained via OAuth. > See the OAuth Refresh SOP below. --- ## OAuth Token Refresh SOP (Dev Dashboard apps) When a token expires (401) or needs new scopes: ### Step 1 — Verify redirect URL is configured In `shopify.app.toml`: ```toml [auth] redirect_urls = [ "https://example.com" ] ``` If empty, add it and run: `shopify app deploy --force` ### Step 2 — Open the authorization URL ``` https://{SHOPIFY_STORE_DOMAIN}/admin/oauth/authorize?client_id={CLIENT_ID}&scope={SCOPES}&redirect_uri=https://example.com&state=refresh ``` ### Step 3 — Extract the code from the redirect URL Browser redirects to `https://example.com/?code=XXXXXX&...` Extract the `code` value (valid for ~60 seconds). ### Step 4 — Exchange code for token ``` POST https://{SHOPIFY_STORE_DOMAIN}/admin/oauth/access_token Body: {"client_id": "{CLIENT_ID}", "client_secret": "{CLIENT_SECRET}", "code": "{code}"} ``` Response contains the new `access_token`. --- ## Gotchas 1. **`shopify app dev` triggers APP_UNINSTALLED webhook** — avoid for production stores. Use `shopify app deploy` to update config only. 2. **Existing token scopes don't auto-update** after Dev Dashboard scope changes — must re-run OAuth. 3. **Storefront MCP** (`/api/mcp`) is already configured in Kocoro for product search. Admin write ops bypass MCP entirely.