At Flagship, we regularly host internal knowledge-sharing sessions (All-Hands Knowledge Sharing Sessions) to discuss the latest Shopify updates and development best practices. In our most recent session, we covered an increasingly important topic for Shopify development: the migration from Legacy Custom Apps to the Dev Dashboard API.

Based on the content of that internal session, this article explains what is changing and why it matters.

1. What is happening: the so-called “2026 issue”

Shopify has announced that starting January 1, 2026, it will discontinue the creation of new “Legacy Custom Apps” that are built directly from the Shopify admin.

Before

• Custom apps could be created directly from the “Apps and sales channels” section of the Shopify admin
• A permanent API token could be issued, allowing immediate external integrations

After

• New custom apps must be created and managed via the Dev Dashboard (Partner Dashboard)
• An OAuth-based authentication flow becomes the standard

What about existing apps?

Existing Legacy Custom Apps will continue to function after January 1, 2026. However, once an app is deleted, it cannot be recreated as a Legacy app. In addition, if an API key is invalidated due to an error or misconfiguration, recovery will no longer be possible using the previous, simpler methods.

For this reason, this change should not be viewed as a minor specification update, but rather as a structural turning point that carries long-term operational risk.

2. What changes technically: authentication and token management

The most significant technical change in this migration is the authentication model and the lifecycle of access tokens.

Characteristics of Legacy Custom Apps

• Permanent access tokens (shpat_xxx)
• Minimal maintenance once configured
• No expiration date

Characteristics of Dev Dashboard–based apps

• OAuth 2.0–based authentication
• Access tokens are obtained using a Client ID and Client Secret
• Access tokens expire every 24 hours
• Regular token refresh handling is required

This represents a shift from a “set it once and forget it” approach to one that assumes continuous token management as part of the system design.

3. Why Shopify is making this change

This policy shift is primarily driven by improvements in security and the unification of the development environment.

• Stronger security and permission management
  Write-access integrations are treated as explicit “apps,” rather than being managed through ad hoc API keys.
• Unified developer experience
  A consistent development workflow centered around the Dev Dashboard and Shopify CLI.

While this may appear to increase development effort in the short term, it ultimately improves transparency, security, and extensibility over the long term.

4. How to approach the migration

The key is not to assume that “if it still works, it can stay as-is.” For business-critical functionality—such as inventory synchronization or metafield updates—it is important not to leave legacy mechanisms in place, but to proactively transition to more robust and future-proof solutions.

For an overview of the migration phases, please refer to the timeline below.

Conclusion

This change is more than just a different way of creating API keys. It represents an important shift in how authentication, operations, and risk management are approached in Shopify integrations.

If you are currently using API keys created directly from the Shopify admin for external integrations, we strongly recommend reviewing your setup and planning ahead with 2026 in mind.

At Flagship, we support merchants through these structural changes with a focus on long-term stability and business continuity.