---
title: Order Risk
description: Display a fraud analysis and recommendations on the details page of an order.
api_version: 2026-01
api_name: admin-rest
api_type: rest
source_url:
  html: 'https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk'
  md: 'https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md'
---

The REST Admin API is a legacy API as of October 1, 2024. Starting April 1, 2025, all new public apps must be built exclusively with the [GraphQL Admin API](https://shopify.dev/docs/api/admin-graphql). For details and migration steps, visit our [migration guide](https://shopify.dev/docs/apps/build/graphql/migrate).

# Order Risk

**Requires \`orders\` access scope.:**

The Order Risk resource allows you to create, retrieve, update, and delete order risks. Order risks represent the results of fraud checks that have been completed for an order.

#### Usage notes

**Caution:**

As of version 2024-04 this resource is deprecated. Risk Assessments can be queried via the [Order Risk Assessment API](https://shopify.dev/docs/api/admin-graphql/2024-04/objects/OrderRiskAssessment).

* This resource is deprecated in version 2024-04. Please refer to the GraphQL api for [Order#field-order-risk](https://shopify.dev/docs/api/admin-graphql/2024-04/objects/Order#field-order-risk)
* When determining an order's risk level, Shopify takes into account only those order risks that have the display property set to `true`. Orders with a display set to `false` will not be returned through the Order Risk resource. It's not advised to create order risks with a display set to `false`. This property might be removed in future API versions.
* Risk assessments will favor the most severe risk recommendation for an order. Keep this in mind when creating new order risks.

\#

## Endpoints

* [post](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#post-orders-order-id-risks)

  [/admin/api/latest/orders/{order\_​id}/risks.​json](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#post-orders-order-id-risks)

  Creates an order risk for an order

  [orderRiskAssessmentCreate](https://shopify.dev/docs/api/admin-graphql/latest/mutations/orderRiskAssessmentCreate?example=creates-an-order-risk-for-an-order)

* [get](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#get-orders-order-id-risks)

  [/admin/api/latest/orders/{order\_​id}/risks.​json](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#get-orders-order-id-risks)

  Retrieves a list of all order risks for an order

  [order](https://shopify.dev/docs/api/admin-graphql/latest/queries/order)

* [get](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#get-orders-order-id-risks-risk-id)

  [/admin/api/latest/orders/{order\_​id}/risks/{risk\_​id}.​json](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#get-orders-order-id-risks-risk-id)

  Retrieves a single order risk by its ID

  **deprecated**

* [put](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#put-orders-order-id-risks-risk-id)

  [/admin/api/latest/orders/{order\_​id}/risks/{risk\_​id}.​json](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#put-orders-order-id-risks-risk-id)

  Updates an order risk

  **deprecated**

* [del](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#delete-orders-order-id-risks-risk-id)

  [/admin/api/latest/orders/{order\_​id}/risks/{risk\_​id}.​json](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#delete-orders-order-id-risks-risk-id)

  Deletes an order risk for an order

  **deprecated**

***

## The Order Risk resource

### Properties

***

cause\_cancel

->[recommendation](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskSummary#field-OrderRiskSummary.fields.recommendation)

Whether this order risk is severe enough to force the cancellation of the order. If `true`, then this order risk is included in the **Order canceled** message that's shown on the details page of the canceled order.

**Note:** Setting this property to `true` does not cancel the order. Use this property only if your app automatically cancels the order using the [Order](https://shopify.dev/docs/admin-api/rest/reference/orders/order/#cancel-{{%20current_version%20}}) resource. If your app doesn't automatically cancel orders based on order risks, then leave this property set to `false`.

***

checkout\_id

**deprecated**

The ID of the checkout that the order risk belongs to.

***

display

**deprecated**

Whether the order risk is displayed on the order details page in the Shopify admin. If `false`, then this order risk is ignored when Shopify determines your app's overall risk level for the order.\<p>It's not advised to create order risks with a display set to `false`.

\<aside class='note'>\<p>This property can't be changed after an order risk is created.

This property might be removed in future API versions.

***

id

**deprecated**

A unique numeric identifier for the order risk.

***

merchant\_message

**deprecated**

The message that's displayed to the merchant to indicate the results of the fraud check. The message is displayed only if `display` is set to`true`.

***

message

->[description](https://shopify.dev/docs/api/admin-graphql/latest/objects/RiskFact#field-RiskFact.fields.description)

The message that's displayed to the merchant to indicate the results of the fraud check. The message is displayed only if `display` is set to`true`.

***

order\_id

->[id](https://shopify.dev/docs/api/admin-graphql/latest/objects/Order#field-Order.fields.id)

The ID of the order that the order risk belongs to.

***

recommendation

->[recommendation](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskSummary#field-OrderRiskSummary.fields.recommendation)

The recommended action given to the merchant. Valid values:

* **cancel**: There is a high level of risk that this order is fraudulent. The merchant should cancel the order.
* **investigate**: There is a medium level of risk that this order is fraudulent. The merchant should investigate the order.
* **accept**: There is a low level of risk that this order is fraudulent. The order risk found no indication of fraud.

***

score

**string**

->[riskLevel](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskAssessment#field-OrderRiskAssessment.fields.riskLevel)

**For internal use only**. A number between 0 and 1 that's assigned to the order. The closer the score is to 1, the more likely it is that the order is fraudulent.

**Note:**

There is no guarantee of stability in risk scores. Scores are not probabilities. The relationship between scores and the probability of fraud can vary over time and between risk providers.

***

source

->[provider](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskAssessment#field-OrderRiskAssessment.fields.provider)

The source of the order risk.

***

{}

## The Order Risk resource

```json
{
  "cause_cancel": false,
  "checkout_id": 901414060,
  "display": true,
  "id": 284138680,
  "merchant_message": "This order came from an anonymous proxy.",
  "message": "This order came from an anonymous proxy.",
  "order_id": 450789469,
  "recommendation": "cancel",
  "score": "1.0",
  "source": "External"
}
```

***

## postCreates an order risk for an order

[orderRiskAssessmentCreate](https://shopify.dev/docs/api/admin-graphql/latest/mutations/orderRiskAssessmentCreate?example=creates-an-order-risk-for-an-order)

Creates an order risk for an order

### Parameters

***

api\_version

**string**

**required**

***

order\_id

**string**

**required**

***

### Examples

### Create an order risk showing a fraud risk for proxy detection

### Path parameters

order\_​id=​450789469

**string**

**required**

post

## /admin/api/2026-01/orders/450789469/risks.​json

```bash
curl -d '{"risk":{"message":"This order came from an anonymous proxy","recommendation":"cancel","score":"1.0","source":"External","cause_cancel":true,"display":true}}' \
-X POST "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks.json" \
-H "X-Shopify-Access-Token: {access_token}" \
-H "Content-Type: application/json"
```

{}

## Response

JSON

```json
HTTP/1.1 201 Created
{
  "risk": {
    "id": 1029151492,
    "order_id": 450789469,
    "checkout_id": 901414060,
    "source": "External",
    "score": "1.0",
    "recommendation": "cancel",
    "display": true,
    "cause_cancel": true,
    "message": "This order came from an anonymous proxy",
    "merchant_message": "This order came from an anonymous proxy"
  }
}
```

### examples

* #### Create an order risk showing a fraud risk for proxy detection

  #####

  ```curl
  curl -d '{"risk":{"message":"This order came from an anonymous proxy","recommendation":"cancel","score":"1.0","source":"External","cause_cancel":true,"display":true}}' \
  -X POST "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks.json" \
  -H "X-Shopify-Access-Token: {access_token}" \
  -H "Content-Type: application/json"
  ```

  #####

  ```remix
  const { admin, session } = await authenticate.admin(request);

  const order_risk = new admin.rest.resources.OrderRisk({session: session});

  order_risk.order_id = 450789469;
  order_risk.message = "This order came from an anonymous proxy";
  order_risk.recommendation = "cancel";
  order_risk.score = "1.0";
  order_risk.source = "External";
  order_risk.cause_cancel = true;
  order_risk.display = true;
  await order_risk.save({
    update: true,
  });
  ```

  #####

  ```ruby
  # Session is activated via Authentication
  test_session = ShopifyAPI::Context.active_session

  order_risk = ShopifyAPI::OrderRisk.new(session: test_session)
  order_risk.order_id = 450789469
  order_risk.message = "This order came from an anonymous proxy"
  order_risk.recommendation = "cancel"
  order_risk.score = "1.0"
  order_risk.source = "External"
  order_risk.cause_cancel = true
  order_risk.display = true
  order_risk.save!
  ```

  #####

  ```node
  // Session is built by the OAuth process

  const order_risk = new shopify.rest.OrderRisk({session: session});
  order_risk.order_id = 450789469;
  order_risk.message = "This order came from an anonymous proxy";
  order_risk.recommendation = "cancel";
  order_risk.score = "1.0";
  order_risk.source = "External";
  order_risk.cause_cancel = true;
  order_risk.display = true;
  await order_risk.save({
    update: true,
  });
  ```

  #### response

  ```json
  HTTP/1.1 201 Created{"risk":{"id":1029151492,"order_id":450789469,"checkout_id":901414060,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order came from an anonymous proxy","merchant_message":"This order came from an anonymous proxy"}}
  ```

***

## getRetrieves a list of all order risks for an order

[order](https://shopify.dev/docs/api/admin-graphql/latest/queries/order)

Retrieves a list of all order risks for an order. **Note:** This endpoint implements pagination by using links that are provided in the response header. To learn more, refer to [Make paginated requests to the REST Admin API](https://shopify.dev/api/usage/pagination-rest).

### Parameters

***

api\_version

**string**

**required**

***

order\_id

**string**

**required**

***

### Examples

### Retrieve all order risks for an order

### Path parameters

order\_​id=​450789469

**string**

**required**

get

## /admin/api/2026-01/orders/450789469/risks.​json

```bash
curl -X GET "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks.json" \
-H "X-Shopify-Access-Token: {access_token}"
```

{}

## Response

JSON

```json
HTTP/1.1 200 OK
{
  "risks": [
    {
      "id": 284138680,
      "order_id": 450789469,
      "checkout_id": null,
      "source": "External",
      "score": "1.0",
      "recommendation": "cancel",
      "display": true,
      "cause_cancel": true,
      "message": "This order was placed from a proxy IP",
      "merchant_message": "This order was placed from a proxy IP"
    },
    {
      "id": 1029151491,
      "order_id": 450789469,
      "checkout_id": 901414060,
      "source": "External",
      "score": "1.0",
      "recommendation": "cancel",
      "display": true,
      "cause_cancel": true,
      "message": "This order came from an anonymous proxy",
      "merchant_message": "This order came from an anonymous proxy"
    }
  ]
}
```

### examples

* #### Retrieve all order risks for an order

  #####

  ```curl
  curl -X GET "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks.json" \
  -H "X-Shopify-Access-Token: {access_token}"
  ```

  #####

  ```remix
  await admin.rest.resources.OrderRisk.all({
    session: session,
    order_id: 450789469,
  });
  ```

  #####

  ```ruby
  # Session is activated via Authentication
  test_session = ShopifyAPI::Context.active_session

  ShopifyAPI::OrderRisk.all(
    session: test_session,
    order_id: 450789469,
  )
  ```

  #####

  ```node
  // Session is built by the OAuth process

  await shopify.rest.OrderRisk.all({
    session: session,
    order_id: 450789469,
  });
  ```

  #### response

  ```json
  HTTP/1.1 200 OK{"risks":[{"id":284138680,"order_id":450789469,"checkout_id":null,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order was placed from a proxy IP","merchant_message":"This order was placed from a proxy IP"},{"id":1029151491,"order_id":450789469,"checkout_id":901414060,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order came from an anonymous proxy","merchant_message":"This order came from an anonymous proxy"}]}
  ```

***

## getRetrieves a single order risk by its ID**deprecated**

Retrieves a single order risk by its ID

### Parameters

***

api\_version

**string**

**required**

***

order\_id

**string**

**required**

***

risk\_id

**string**

**required**

***

### Examples

### Retrieve a single order risk

get

## /admin/api/2026-01/orders/450789469/risks/284138680.​json

```bash
curl -X GET "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks/284138680.json" \
-H "X-Shopify-Access-Token: {access_token}"
```

{}

## Response

JSON

```json
HTTP/1.1 200 OK
{
  "risk": {
    "id": 284138680,
    "order_id": 450789469,
    "checkout_id": null,
    "source": "External",
    "score": "1.0",
    "recommendation": "cancel",
    "display": true,
    "cause_cancel": true,
    "message": "This order was placed from a proxy IP",
    "merchant_message": "This order was placed from a proxy IP"
  }
}
```

### examples

* #### Retrieve a single order risk

  #####

  ```curl
  curl -X GET "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks/284138680.json" \
  -H "X-Shopify-Access-Token: {access_token}"
  ```

  #####

  ```remix
  await admin.rest.resources.OrderRisk.find({
    session: session,
    order_id: 450789469,
    id: 284138680,
  });
  ```

  #####

  ```ruby
  # Session is activated via Authentication
  test_session = ShopifyAPI::Context.active_session

  ShopifyAPI::OrderRisk.find(
    session: test_session,
    order_id: 450789469,
    id: 284138680,
  )
  ```

  #####

  ```node
  // Session is built by the OAuth process

  await shopify.rest.OrderRisk.find({
    session: session,
    order_id: 450789469,
    id: 284138680,
  });
  ```

  #### response

  ```json
  HTTP/1.1 200 OK{"risk":{"id":284138680,"order_id":450789469,"checkout_id":null,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order was placed from a proxy IP","merchant_message":"This order was placed from a proxy IP"}}
  ```

***

## putUpdates an order risk**deprecated**

Updates an order risk



**Note:**

You cannot modify an order risk that was created by another application.

### Parameters

***

api\_version

**string**

**required**

***

order\_id

**string**

**required**

***

risk\_id

**string**

**required**

***

### Examples

### Update an existing order risk for an order

put

## /admin/api/2026-01/orders/450789469/risks/284138680.​json

```bash
curl -d '{"risk":{"id":284138680,"message":"After further review, this is a legitimate order","recommendation":"accept","source":"External","cause_cancel":false,"score":"0.0"}}' \
-X PUT "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks/284138680.json" \
-H "X-Shopify-Access-Token: {access_token}" \
-H "Content-Type: application/json"
```

{}

## Response

JSON

```json
HTTP/1.1 200 OK
{
  "risk": {
    "order_id": 450789469,
    "cause_cancel": false,
    "message": "After further review, this is a legitimate order",
    "recommendation": "accept",
    "score": "0.0",
    "source": "External",
    "id": 284138680,
    "checkout_id": null,
    "display": true,
    "merchant_message": "After further review, this is a legitimate order"
  }
}
```

### examples

* #### Update an existing order risk for an order

  #####

  ```curl
  curl -d '{"risk":{"id":284138680,"message":"After further review, this is a legitimate order","recommendation":"accept","source":"External","cause_cancel":false,"score":"0.0"}}' \
  -X PUT "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks/284138680.json" \
  -H "X-Shopify-Access-Token: {access_token}" \
  -H "Content-Type: application/json"
  ```

  #####

  ```remix
  const { admin, session } = await authenticate.admin(request);

  const order_risk = new admin.rest.resources.OrderRisk({session: session});

  order_risk.order_id = 450789469;
  order_risk.id = 284138680;
  order_risk.message = "After further review, this is a legitimate order";
  order_risk.recommendation = "accept";
  order_risk.source = "External";
  order_risk.cause_cancel = false;
  order_risk.score = "0.0";
  await order_risk.save({
    update: true,
  });
  ```

  #####

  ```ruby
  # Session is activated via Authentication
  test_session = ShopifyAPI::Context.active_session

  order_risk = ShopifyAPI::OrderRisk.new(session: test_session)
  order_risk.order_id = 450789469
  order_risk.id = 284138680
  order_risk.message = "After further review, this is a legitimate order"
  order_risk.recommendation = "accept"
  order_risk.source = "External"
  order_risk.cause_cancel = false
  order_risk.score = "0.0"
  order_risk.save!
  ```

  #####

  ```node
  // Session is built by the OAuth process

  const order_risk = new shopify.rest.OrderRisk({session: session});
  order_risk.order_id = 450789469;
  order_risk.id = 284138680;
  order_risk.message = "After further review, this is a legitimate order";
  order_risk.recommendation = "accept";
  order_risk.source = "External";
  order_risk.cause_cancel = false;
  order_risk.score = "0.0";
  await order_risk.save({
    update: true,
  });
  ```

  #### response

  ```json
  HTTP/1.1 200 OK{"risk":{"order_id":450789469,"cause_cancel":false,"message":"After further review, this is a legitimate order","recommendation":"accept","score":"0.0","source":"External","id":284138680,"checkout_id":null,"display":true,"merchant_message":"After further review, this is a legitimate order"}}
  ```

***

## delDeletes an order risk for an order**deprecated**

Deletes an order risk for an order



**Note:**

You cannot delete an order risk that was created by another application.

### Parameters

***

api\_version

**string**

**required**

***

order\_id

**string**

**required**

***

risk\_id

**string**

**required**

***

### Examples

### Delete an order risk for an order

del

## /admin/api/2026-01/orders/450789469/risks/284138680.​json

```bash
curl -X DELETE "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks/284138680.json" \
-H "X-Shopify-Access-Token: {access_token}"
```

{}

## Response

JSON

```json
HTTP/1.1 200 OK
{}
```

### examples

* #### Delete an order risk for an order

  #####

  ```curl
  curl -X DELETE "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks/284138680.json" \
  -H "X-Shopify-Access-Token: {access_token}"
  ```

  #####

  ```remix
  await admin.rest.resources.OrderRisk.delete({
    session: session,
    order_id: 450789469,
    id: 284138680,
  });
  ```

  #####

  ```ruby
  # Session is activated via Authentication
  test_session = ShopifyAPI::Context.active_session

  ShopifyAPI::OrderRisk.delete(
    session: test_session,
    order_id: 450789469,
    id: 284138680,
  )
  ```

  #####

  ```node
  // Session is built by the OAuth process

  await shopify.rest.OrderRisk.delete({
    session: session,
    order_id: 450789469,
    id: 284138680,
  });
  ```

  #### response

  ```json
  HTTP/1.1 200 OK{}
  ```