Shopify Implements Stricter Rate Limits for Bots Without Web Bot Auth

Shopify has introduced stricter rate limits for bots and agents accessing the Storefront API and Shopify-hosted online store pages. The platform now applies the most restrictive rate limits to bots that don’t sign their requests, while bots using Web Bot Auth qualify for higher rate limits.

What Changed

The update affects all automated systems that interact with Shopify storefronts. Bots and agents that fail to identify themselves through proper authentication now face significantly reduced API access. Shopify’s documentation on Storefront rate limits provides specific thresholds for different authentication levels.

Impact on Developers

Developers operating bots or automated agents must now implement Web Bot Auth to maintain reasonable API access rates. This includes headless commerce implementations, content scrapers, monitoring tools, and any automated systems that interact with Shopify storefronts. Without proper authentication, these tools will hit rate limits faster, potentially disrupting their functionality.

Technical Requirements

Web Bot Auth requires bot operators to sign their requests with cryptographic signatures that identify the bot and its operator. This authentication method allows Shopify to distinguish legitimate automated traffic from potentially harmful bots while maintaining appropriate rate limits for each category.

Developers should review their current bot implementations and add Web Bot Auth signing to avoid service disruptions. The change applies immediately to all Storefront API requests and storefront page access, making implementation a priority for any team running automated Shopify integrations.

Read the full announcement →