Shopify API access scopes
All apps need to request access to specific store data during the app authorization process. This guide provides a complete list of available access scopes for the Admin, Storefront, and Payment Apps APIs.
How it works
Anchor link to section titled "How it works"After you've generated API credentials, your app needs to be authorized to access store data.
Authorization is the process of giving permissions to apps. Merchants can authorize Shopify apps to access data in a store. For example, an app might be authorized to access orders and product data in a store.
An app can request authenticated or unauthenticated access scopes.
| Type of access scopes | Description | Example use cases |
|---|---|---|
| Authenticated | Controls access to resources in the REST Admin API, GraphQL Admin API, and Payments Apps API. Authenticated access is intended for interacting with a store on behalf of a merchant. |
|
| Unauthenticated | Controls an app's access to Storefront API objects. Unauthenticated access is intended for interacting with a store on behalf of a customer. |
|
Authenticated access scopes
Anchor link to section titled "Authenticated access scopes"Your app can request the following authenticated access scopes:
| Scope | Access |
|---|---|
read_all_orders |
All orders rather than the default window of 60 days worth of ordersPermissions required This OAuth scope is used in conjunction with |
read_assigned_fulfillment_orders,
|
FulfillmentOrder resources assigned to a location managed by your fulfillment service |
read_checkouts,
|
Checkouts |
read_content,
|
Article, Blog, Comment, Page, and Redirect |
read_customers,
|
Customer and Saved Search |
read_customer_payment_methods |
CustomerPaymentMethodPermissions required You need to request permission for this access scope from your Partner Dashboard before adding it to your app. |
read_discounts,
|
GraphQL Admin API Discounts features |
read_draft_orders,
|
Draft Order |
read_files,
|
GraphQL Admin API GenericFile object and fileCreate, fileUpdate, and fileDelete mutations |
read_fulfillments,
|
Fulfillment Service |
read_gift_cards,
|
Gift Card SHOPIFY PLUS |
read_inventory,
|
Inventory Level and Inventory Item |
read_legal_policies |
GraphQL Admin API Shop Policy |
read_locales,
|
GraphQL Admin API Shop Locale |
read_locations |
Location |
read_marketing_events,
|
Marketing Event |
read_merchant_approval_signals |
MerchantApprovalSignals |
read_merchant_managed_fulfillment_orders,
|
FulfillmentOrder resources assigned to merchant-managed locations |
read_orders,
|
Abandoned checkouts, Customer, Fulfillment, Order, and Transaction resources |
read_payment_mandate,
|
PaymentMandate |
read_payment_terms,
|
GraphQL Admin API PaymentSchedule and PaymentTerms objects |
read_price_rules,
|
Price Rules |
read_products,
|
Product, Product Variant, Product Image, Collect, Custom Collection, and Smart Collection |
read_product_listings |
Product Listing and Collection Listing |
read_publications,
|
Product publishing and Collection publishing The read_publications and
|
read_purchase_options,
|
SellingPlan |
read_reports,
|
Reports |
read_resource_feedbacks,
|
ResourceFeedback |
read_script_tags,
|
Script Tag |
read_shipping,
|
Carrier Service, Country, and Province |
read_shopify_payments_disputes |
Shopify Payments Dispute resource |
read_shopify_payments_payouts |
Shopify Payments Payout, Balance, and Transaction resources |
read_own_subscription_contracts,
|
SubscriptionContractPermissions required You need to request permission for these access scopes from your Partner Dashboard before adding them to your app. |
read_themes,
|
Asset and Theme |
read_translations,
|
GraphQL Admin API Translatable object |
read_third_party_fulfillment_orders,
|
FulfillmentOrder resources assigned to a location managed by any fulfillment service |
read_users |
User and StaffMemberSHOPIFY PLUS |
read_order_edits,
|
GraphQL Admin API OrderStagedChange types and order editing features |
write_payment_gateways |
Payments Apps API paymentsAppConfigure |
write_payment_sessions |
Payments Apps API Payment, Capture, Refund and Void |
Unauthenticated access scopes
Anchor link to section titled "Unauthenticated access scopes"Your app can request the following unauthenticated access scopes:
| Scope | Access |
|---|---|
unauthenticated_read_checkouts,
|
Checkout object |
unauthenticated_read_customers,
|
Customer object |
unauthenticated_read_customer_tags |
tags field on the Customer object |
unauthenticated_read_content |
Storefront content, such as Article, Blog, and Comment objects |
unauthenticated_read_product_listings |
Product and Collection objects |
unauthenticated_read_product_tags |
tags field on the Product object. |
unauthenticated_read_selling_plans |
Selling plan content on the Product object. |
Checking granted access scopes
Anchor link to section titled "Checking granted access scopes"You can check your app’s granted access scopes using the GraphQL Admin API or REST Admin API.
Limitations and considerations
Anchor link to section titled "Limitations and considerations"- Apps should request only the minimum amount of data that's necessary for an app to function when using a Shopify API. Shopify restricts access to scopes for apps that don't require legitimate use of the associated data.
- Only public or custom apps are granted access scopes. Legacy app types, such as private or unpublished, won't be granted new access scopes.