Shopify API Access scopes

Part of the app authorization process requires specifying which parts of a shop's data the app needs access to. An app can request any of the authenticated or unauthenticated access scopes listed below.

Only public or custom apps are granted access scopes. Legacy app types, such as published or unpublished, will not be granted new access scopes.

You can check your app’s granted access scopes with the AccessScope resource, available through the Admin API in both GraphQL and REST.

Authenticated access scopes

Authenticated access scopes control access to resources in the REST Admin API and the GraphQL Admin API. Authenticated access is intended for interacting with a store on behalf of the merchant to perform actions such as creating products and managing discount codes.

Authenticated access scopes
Scope	Authenticated access granted
`read_all_orders`	All orders rather than the default window of 60 days worth of orders This OAuth scope is used in conjunction with `read_orders` and `write_orders`. You need to request this scope from your Partner Dashboard before adding it to your app.
`read_assigned_fulfillment_orders`, `write_assigned_fulfillment_orders`	FulfillmentOrder resources assigned to a location managed by your fulfillment service
`read_checkouts`, `write_checkouts`	Checkouts
`read_content`, `write_content`	Article, Blog, Comment, Page, and Redirect
`read_customers`, `write_customers`	Customer and Saved Search
`read_discounts`, `write_discounts`	GraphQL Admin API Discounts features
`read_draft_orders`, `write_draft_orders`	Draft Order
`read_files`, `write_files`	GraphQL Admin API GenericFile object and fileCreate, fileUpdate, and fileDelete mutations
`read_fulfillments`, `write_fulfillments`	Fulfillment Service
`read_gift_cards`, `write_gift_cards`	Gift Card SHOPIFY PLUS
`read_inventory`, `write_inventory`	Inventory Level and Inventory Item
`read_legal_policies`	GraphQL Admin API Shop Policy
`read_locales`, `write_locales`	GraphQL Admin API Shop Locale
`read_locations`	Location
`read_marketing_events`, `write_marketing_events`	Marketing Event
`read_merchant_approval_signals`	MerchantApprovalSignals
`read_merchant_managed_fulfillment_orders`, `write_merchant_managed_fulfillment_orders`	FulfillmentOrder resources assigned to merchant-managed locations
`read_orders`, `write_orders`	Abandoned checkouts, Customer, Fulfillment, Order, and Transaction resources
`read_price_rules`, `write_price_rules`	Price Rules
`read_products`, `write_products`	Product, Product Variant, Product Image, Collect, Custom Collection, and Smart Collection
`read_product_listings`	Product Listing, and Collection Listing
`read_reports`, `write_reports`	Reports
`read_resource_feedbacks`, `write_resource_feedbacks`	ResourceFeedback
`read_script_tags`, `write_script_tags`	Script Tag
`read_shipping`, `write_shipping`	Carrier Service, Country, and Province
`read_shopify_payments_disputes`	Shopify Payments Dispute resource
`read_shopify_payments_payouts`	Shopify Payments Payout, Balance, and Transaction resources
`read_themes`, `write_themes`	Asset and Theme
`read_translations`, `write_translations`	GraphQL Admin API Translatable object
`read_third_party_fulfillment_orders`, `write_third_party_fulfillment_orders`	FulfillmentOrder resources assigned to a location managed by any fulfillment service
`read_users`, `write_users`	User SHOPIFY PLUS
`write_order_edits`	GraphQL Admin API order editing features

Unauthenticated access scopes

Unauthenticated access scopes control access to objects in the Storefront API. Unauthenticated access is intended for interacting with a store on behalf of a customer to perform actions such as viewing products or initiating a checkout.

Apps require a Storefront API access token (separate from an Admin API access token) to make requests to the Storefront API.

For private apps, you can copy and paste the access token from the private app setup page after Storefront API access is enabled. Public and custom apps can create a Storefront API access token using the Admin API after installation, either using the StorefrontAccessToken REST resource or the storeFrontAccessTokenCreate GraphQL mutation. Any access tokens that your app creates will automatically inherit the unauthenticated access scopes granted to that app.

Your app can request the following unauthenticated scopes:

Unauthenticated access scopes
Scope	Unauthenticated access granted
`unauthenticated_read_checkouts`, `unauthenticated_write_checkouts`	Checkout object
`unauthenticated_read_customers`, `unauthenticated_write_customers`	Customer object
`unauthenticated_read_customer_tags`	`tags` field on the Customer object
`unauthenticated_read_content`	Storefront content, such as Article, Blog, and Comment objects
`unauthenticated_read_product_listings`	Product and Collection objects
`unauthenticated_read_product_tags`	`tags` field on the Product object.

Cart

Objects

Mutations

Interfaces

Inputs

Checkouts

Unions

Objects

Mutations

Inputs

Enums

Common objects

Customers

Objects

Mutations

Inputs

Directives

Online store

Objects

Enums

Orders

Objects

Enums

Products

Unions

Objects

Inputs

Enums

App events

Objects

Interfaces

Enums

Common objects

Directives

Jobs

Unions

Objects

Enums

Transactions

Objects

Interfaces

Enums

App configuration

Mutations

Capture

Mutations

Common APIs

Directives

Payment

Mutations

Refund

Mutations

Void

Mutations

Primitive

Global

Product and variant

Cart

Localization

Primitive

Global

Product and variant

Cart

Localization

Metafield

Components

Versioning

Bulk operations

Pagination

Internationalization

Marketing

Orders

Products

Shipping

Reference

Cart

Objects

Mutations

Interfaces

Inputs