--- title: >- Customer marketing URL fields now require write access - Shopify developer changelog description: >- Shopify’s developer changelog documents all changes to Shopify’s platform. Find the latest news and learn about new platform opportunities. source_url: html: >- https://shopify.dev/changelog/customer-marketing-url-fields-now-require-write-access md: >- https://shopify.dev/changelog/customer-marketing-url-fields-now-require-write-access.md metadata: effectiveApiVersion: null affectedApi: - displayName: Admin GraphQL API handle: admin-graphql primaryTag: displayName: API handle: api secondaryTag: displayName: Breaking API Change handle: breaking-api-change indicatesActionRequired: true createdAt: '2025-12-17T10:56:50-05:00' postedAt: '2025-12-18T12:00:00-05:00' updatedAt: '2025-12-18T00:57:21-05:00' effectiveAt: '2025-12-18T12:00:00-05:00' --- December 18, 2025 Tags: * Action Required * Admin GraphQL API # Customer marketing URL fields now require write access **Effective immediately**: The following customer-related fields now require the `write_customers` scope and the `create_and_edit_customers` permission: * `Customer.emailOpenTrackingUrl` (deprecated) * `Customer.unsubscribeUrl` (deprecated) * `CustomerEmailAddress.openTrackingUrl` * `CustomerEmailAddress.marketingUnsubscribeUrl` * `CustomerPhoneNumber.marketingUnsubscribeUrl` **Reason for change** This update addresses a security vulnerability. These fields return URLs with secret tokens that can modify customer marketing consent, such as unsubscribing a customer. Previously, apps with only the `read_customers` scope could access these URLs, potentially leading to unauthorized changes to customer preferences. By updating the access requirements, we aim to prevent such security risks. According to our [API breaking change policy](https://vault.shopify.io/page/Types-of-changes~dhb7e32.md#security-fixes), security fixes are implemented immediately across all API versions, bypassing the standard deprecation process. **Action required** If your app queries these fields, you must: 1. Update your app to include the `write_customers` access scope. Previously, the `read_customers` scope was sufficient. 2. Ensure the user making the request has the `create_and_edit_customers` permission. Apps that only have the `read_customers` scope will now encounter an access denied error when attempting to query these fields.