Shopify API Access scopes

Part of the app authorization process requires specifying which parts of a shop's data the app needs access to. An app can request any of the authenticated or unauthenticated access scopes listed below.

Only public or custom apps are granted access scopes. Legacy app types, such as published or unpublished, will not be granted new access scopes.

You can check your app’s granted access scopes with the AccessScope resource, available through the Admin API in both GraphQL and REST.

Authenticated access scopes

Authenticated access scopes control access to resources in the REST Admin API and the GraphQL Admin API. Authenticated access is intended for interacting with a store on behalf of the merchant to perform actions such as creating products and managing discount codes.

Authenticated access scopes
Scope Authenticated access granted
read_all_orders

All orders rather than the default window of 60 days worth of orders

This OAuth scope is used in conjunction with read_orders and write_orders. You need to request this scope from your Partner Dashboard before adding it to your app.

read_assigned_fulfillment_orders,

write_assigned_fulfillment_orders

FulfillmentOrder resources assigned to a location managed by your fulfillment service
read_checkouts,

write_checkouts

Checkouts
read_content,

write_content

Article, Blog, Comment, Page, and Redirect
read_customers,

write_customers

Customer and Saved Search
read_discounts,

write_discounts

GraphQL Admin API Discounts features
read_draft_orders,

write_draft_orders

Draft Order
read_files,

write_files

GraphQL Admin API GenericFile object and fileCreate, fileUpdate, and fileDelete mutations
read_fulfillments,

write_fulfillments

Fulfillment Service
read_gift_cards,

write_gift_cards

Gift Card SHOPIFY PLUS
read_inventory,

write_inventory

Inventory Level and Inventory Item
read_legal_policies GraphQL Admin API Shop Policy
read_locales,

write_locales

GraphQL Admin API Shop Locale
read_locations Location
read_marketing_events,

write_marketing_events

Marketing Event
read_merchant_approval_signals MerchantApprovalSignals
read_merchant_managed_fulfillment_orders,

write_merchant_managed_fulfillment_orders

FulfillmentOrder resources assigned to merchant-managed locations
read_orders,

write_orders

Abandoned checkouts, Customer, Fulfillment, Order, and Transaction resources
read_price_rules,

write_price_rules

Price Rules
read_products,

write_products

Product, Product Variant, Product Image, Collect, Custom Collection, and Smart Collection
read_product_listings Product Listing, and Collection Listing
read_reports,

write_reports

Reports
read_resource_feedbacks,

write_resource_feedbacks

ResourceFeedback
read_script_tags,

write_script_tags

Script Tag
read_shipping,

write_shipping

Carrier Service, Country, and Province
read_shopify_payments_disputes Shopify Payments Dispute resource
read_shopify_payments_payouts Shopify Payments Payout, Balance, and Transaction resources
read_themes,

write_themes

Asset and Theme
read_translations,

write_translations

GraphQL Admin API Translatable object
read_third_party_fulfillment_orders,

write_third_party_fulfillment_orders

FulfillmentOrder resources assigned to a location managed by any fulfillment service
read_users,

write_users

User SHOPIFY PLUS
write_order_edits GraphQL Admin API order editing features

Unauthenticated access scopes

Unauthenticated access scopes control access to objects in the Storefront API. Unauthenticated access is intended for interacting with a store on behalf of a customer to perform actions such as viewing products or initiating a checkout.

Apps require a Storefront API access token (separate from an Admin API access token) to make requests to the Storefront API.

For private apps, you can copy and paste the access token from the private app setup page after Storefront API access is enabled. Public and custom apps can create a Storefront API access token using the Admin API after installation, either using the StorefrontAccessToken REST resource or the storeFrontAccessTokenCreate GraphQL mutation. Any access tokens that your app creates will automatically inherit the unauthenticated access scopes granted to that app.

Your app can request the following unauthenticated scopes:

Unauthenticated access scopes
Scope Unauthenticated access granted
unauthenticated_read_checkouts,

unauthenticated_write_checkouts

Checkout object
unauthenticated_read_customers,

unauthenticated_write_customers

Customer object
unauthenticated_read_customer_tags tags field on the Customer object
unauthenticated_read_content Storefront content, such as Article, Blog, and Comment objects
unauthenticated_read_product_listings Product and Collection objects
unauthenticated_read_product_tags tags field on the Product object.