Managing credentials
Graftport stores source and destination credentials encrypted at rest and scoped per migration. This page covers how credentials are set, what each field means in practice, and how to update them when they rotate.
Where credentials live
Credentials are set in two places:
- During the New Migration wizard — Step 1 sets source credentials; Step 2 sets destination credentials.
- On the migration’s Edit page — reachable from the migration detail page via Edit migration. Any field can be updated here after the initial setup.
You do not need to recreate a migration when an API key rotates. Update the credential in place; the next run uses the new value.
Source credentials
The fields required depend on the source platform:
| Platform | Fields |
|---|---|
| Magento | Store domain, admin username, admin password |
| Shopify (as source) | Store subdomain (example.myshopify.com), Admin API access token |
| WooCommerce | WordPress site URL, Consumer key, Consumer secret |
| HostedShop / Dandomain / Scannet | SOAP API username, SOAP API password |
See Sources → Magento, Sources → Shopify (as source), Sources → WooCommerce, and Sources → HostedShop for the exact permission requirements per platform. The HostedShop guide also covers Dandomain classic and Scannet, which share the same SOAP API.
Destination credentials
The destination is always Shopify. The one required field is the
Admin API access token — a shpat_… value from a custom app
installed on the destination store.
See Destination → Shopify for the full list of read/write scopes the token must carry per resource type.
Rotating a credential
When a source API key, admin password, or destination token changes, update it before the next run:
Open the migration
From Migrations, click the migration whose credential changed.
Go to Edit migration
Click Edit migration near the top of the detail page.
Update the field
Replace the old value with the new one. Only the changed field needs to be re-entered — all other fields stay as they are.
Save
Click Save migration. The new credential is stored immediately and encrypted at rest. The old value is not retained.
Validate with a new run
Start an extract-only run to verify the new credential is accepted. A successful extract confirms the credential is correct and in scope.
If you update a source credential mid-migration and the next run’s extract returns different data than the previous extract (for instance, the new API key is scoped to a different store view), the transformed and staged records from prior runs may no longer match. Re-run extract + transform before the next load.
Credential errors in runs
The most common credential failures appear at extract time:
| Error | Likely cause |
|---|---|
401 Unauthorized | Password or token rotated since the last run. |
403 Forbidden on a specific resource | The credential’s role is missing read scope for that resource. |
invalid_client on Shopify | The custom app was uninstalled from the destination store. |
Fix the credential on the Edit migration page, then start a new extract run. See Troubleshooting → Common errors for a full triage table.
Service accounts
Use a dedicated, read-only service account for source credentials wherever the platform supports it. This way the merchant can revoke Graftport’s access independently, without affecting other admin users. See the individual source platform pages for recommended permission sets.
Never use a person’s day-to-day admin login for a migration credential. If that person leaves the organisation, the credential silently stops working on the next run.