Customer marketing URL fields now require write access

Effective immediately: The following customer-related fields now require the write_customers scope and the create_and_edit_customers permission:

• Customer.emailOpenTrackingUrl (deprecated)
• Customer.unsubscribeUrl (deprecated)
• CustomerEmailAddress.openTrackingUrl
• CustomerEmailAddress.marketingUnsubscribeUrl
• CustomerPhoneNumber.marketingUnsubscribeUrl

Reason for change

This update addresses a security vulnerability. These fields return URLs with secret tokens that can modify customer marketing consent, such as unsubscribing a customer. Previously, apps with only the read_customers scope could access these URLs, potentially leading to unauthorized changes to customer preferences. By updating the access requirements, we aim to prevent such security risks.

According to our API breaking change policy, security fixes are implemented immediately across all API versions, bypassing the standard deprecation process.

Action required

If your app queries these fields, you must:

1. Update your app to include the write_customers access scope. Previously, the read_customers scope was sufficient.
2. Ensure the user making the request has the create_and_edit_customers permission.

Apps that only have the read_customers scope will now encounter an access denied error when attempting to query these fields.