Skip to main content
Back to changelog

Card deposit endpoint now requires mTLS certificate

Shopify's card-deposit endpoint now requires a Shopify-issued mTLS client certificate. Apps that store cardholder data with the customerPaymentMethodCreditCardCreate and customerPaymentMethodCreditCardUpdate GraphQL Admin API mutations must first deposit that data at Shopify's /sessions card-deposit endpoint to receive a session identifier. That deposit call must present a Shopify-issued certificate by October 15, 2026. This is a required change: after enforcement begins, deposit requests will be required to have a valid certificate. If your app deposits cardholder data, you must update.

What changed

The card-deposit endpoint at https://checkout-mtls.pci.shopifyinc.com/sessions is unchanged. What's new is that every request to it must present a Shopify-issued mTLS client certificate. Previously, requests to this endpoint did not require a client certificate.

The GraphQL Admin API vault mutations are unchanged. You continue to call customerPaymentMethodCreditCardCreate and customerPaymentMethodCreditCardUpdate with the session identifier returned by the deposit call, and your GraphQL Admin API OAuth flow is unaffected.

customerPaymentMethodRemoteCreate is out of scope. It imports references to payment methods already held at external gateways and deposits no cardholder data to Shopify.

Who's affected

This applies to apps that deposit cardholder data to Shopify through customerPaymentMethodCreditCardCreate or customerPaymentMethodCreditCardUpdate.

Apps that only call customerPaymentMethodRemoteCreate to import payment methods from external gateways such as Stripe, Braintree, Authorize.Net, Adyen, or PayPal are not affected and need to take no action.

Why this matters

All cardholder-data traffic reaching the deposit endpoint must be attributable to an authenticated caller. Requiring a client certificate lets Shopify verify who is depositing card data ahead of Black Friday and Cyber Monday 2026, and is the prerequisite for rejecting unauthenticated deposit traffic.

What to do

If your app deposits cardholder data, migrate before October 15, 2026:

  1. Confirm whether your app calls customerPaymentMethodCreditCardCreate or customerPaymentMethodCreditCardUpdate. If it only calls customerPaymentMethodRemoteCreate, no action is required.
  2. Request a Shopify-issued client certificate at shopify-mtls-partnerships@shopify.com. Include your API client ID and technical point of contact. First certificates are signed manually by Shopify and take a few days, so start early.
  3. Present the certificate on your /sessions deposit call, and continue passing the returned session identifier to the vault mutations unchanged.
  4. Confirm your deposit traffic now arrives with a valid certificate. Shopify validates the cutover on our side.

After your first certificate, rotate it self-serve with Shopify's Certificate Signing Service before the 1-year TTL expires . No Shopify involvement is needed. A missed rotation stops your deposits, so monitor certificate expiry as part of your standard observability.

Apps that haven't migrated by October 15, 2026 lose the ability to deposit new cardholder data once the certificate requirement is enforced.

Related docs

Was this page helpful?