Shopify's card-deposit endpoint now requires a Shopify-issued mTLS client certificate. Apps that store cardholder data with the and GraphQL Admin API mutations must first deposit that data at Shopify's /sessions card-deposit endpoint to receive a session identifier. That deposit call must present a Shopify-issued certificate by October 15, 2026. This is a required change: after enforcement begins, deposit requests will be required to have a valid certificate. If your app deposits cardholder data, you must update.
What changed
The card-deposit endpoint at is unchanged. What's new is that every request to it must present a Shopify-issued mTLS client certificate. Previously, requests to this endpoint did not require a client certificate.
The GraphQL Admin API vault mutations are unchanged. You continue to call and with the session identifier returned by the deposit call, and your GraphQL Admin API OAuth flow is unaffected.
is out of scope. It imports references to payment methods already held at external gateways and deposits no cardholder data to Shopify.
Who's affected
This applies to apps that deposit cardholder data to Shopify through or .
Apps that only call to import payment methods from external gateways such as Stripe, Braintree, Authorize.Net, Adyen, or PayPal are not affected and need to take no action.
Why this matters
All cardholder-data traffic reaching the deposit endpoint must be attributable to an authenticated caller. Requiring a client certificate lets Shopify verify who is depositing card data ahead of Black Friday and Cyber Monday 2026, and is the prerequisite for rejecting unauthenticated deposit traffic.
What to do
If your app deposits cardholder data, migrate before October 15, 2026:
- Confirm whether your app calls
or. If it only calls, no action is required. - Request a Shopify-issued client certificate at shopify-mtls-partnerships@shopify.com. Include your API client ID and technical point of contact. First certificates are signed manually by Shopify and take a few days, so start early.
- Present the certificate on your
/sessionsdeposit call, and continue passing the returned session identifier to the vault mutations unchanged. - Confirm your deposit traffic now arrives with a valid certificate. Shopify validates the cutover on our side.
After your first certificate, rotate it self-serve with Shopify's Certificate Signing Service before the 1-year TTL expires . No Shopify involvement is needed. A missed rotation stops your deposits, so monitor certificate expiry as part of your standard observability.
Apps that haven't migrated by October 15, 2026 lose the ability to deposit new cardholder data once the certificate requirement is enforced.