Here’s what’s changing in the Private API on June 4, 2026.
We are introducing more granular access settings for Private API tokens. Premium merchants will be able to control which API endpoint groups each token can access and whether the token has read or write permissions.
We are extending the settings of Private API tokens for Premium e-shops. This change will be released by June 4, 2026.
Until now, a private token granted access to the entire Private API. With the new settings, each token can be assigned specific endpoint groups and access rights for each group (read/write).
This gives merchants better control over API access granted to external developers or implementation partners.
There is no immediate action required for existing private tokens.
Existing private tokens will keep full read and write access to all endpoint groups after the release. Newly created tokens will also have all available endpoint groups assigned by default, so they can access all API endpoints out of the box.
However, merchants can restrict token access at any time in their administration under Connections → Private API. If a token does not have sufficient rights for a specific endpoint, the API will return HTTP 403 Forbidden with the error code: invalid-token-no-rights
Please make sure your integrations handle this response correctly. If your integration starts receiving this error, ask the merchant to check the endpoint group rights for the private token used by your service.
More information in our documentation:
If you have any questions, feedback or requests, please contact us at api@shoptet.cz.