--- title: Customer marketing URL fields now require write access - Shopify developer changelog description: Shopify’s developer changelog documents all changes to Shopify’s platform. Find the latest news and learn about new platform opportunities. source_url: html: https://shopify.dev/changelog/customer-marketing-url-fields-now-require-write-access md: https://shopify.dev/changelog/customer-marketing-url-fields-now-require-write-access.md --- [Back to Developer changelog](https://shopify.dev/changelog) December 18, 2025 Tags: * Action Required * Admin GraphQL API # Customer marketing URL fields now require write access **Effective immediately**: The following customer-related fields now require the `write_customers` scope and the `create_and_edit_customers` permission: * `Customer.emailOpenTrackingUrl` (deprecated) * `Customer.unsubscribeUrl` (deprecated) * `CustomerEmailAddress.openTrackingUrl` * `CustomerEmailAddress.marketingUnsubscribeUrl` * `CustomerPhoneNumber.marketingUnsubscribeUrl` **Reason for change** This update addresses a security vulnerability. These fields return URLs with secret tokens that can modify customer marketing consent, such as unsubscribing a customer. Previously, apps with only the `read_customers` scope could access these URLs, potentially leading to unauthorized changes to customer preferences. By updating the access requirements, we aim to prevent such security risks. According to our [API breaking change policy](https://vault.shopify.io/page/Types-of-changes~dhb7e32.md#security-fixes), security fixes are implemented immediately across all API versions, bypassing the standard deprecation process. **Action required** If your app queries these fields, you must: 1. Update your app to include the `write_customers` access scope. Previously, the `read_customers` scope was sufficient. 2. Ensure the user making the request has the `create_and_edit_customers` permission. Apps that only have the `read_customers` scope will now encounter an access denied error when attempting to query these fields.