--- title: Order Risk description: Display a fraud analysis and recommendations on the details page of an order. api_version: 2026-01 api_name: admin-rest api_type: rest source_url: html: 'https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk' md: 'https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md' --- The REST Admin API is a legacy API as of October 1, 2024. Starting April 1, 2025, all new public apps must be built exclusively with the [GraphQL Admin API](https://shopify.dev/docs/api/admin-graphql). For details and migration steps, visit our [migration guide](https://shopify.dev/docs/apps/build/graphql/migrate). # Order Risk **Requires \`orders\` access scope.:** The Order Risk resource allows you to create, retrieve, update, and delete order risks. Order risks represent the results of fraud checks that have been completed for an order. #### Usage notes **Caution:** As of version 2024-04 this resource is deprecated. Risk Assessments can be queried via the [Order Risk Assessment API](https://shopify.dev/docs/api/admin-graphql/2024-04/objects/OrderRiskAssessment). * This resource is deprecated in version 2024-04. Please refer to the GraphQL api for [Order#field-order-risk](https://shopify.dev/docs/api/admin-graphql/2024-04/objects/Order#field-order-risk) * When determining an order's risk level, Shopify takes into account only those order risks that have the display property set to `true`. Orders with a display set to `false` will not be returned through the Order Risk resource. It's not advised to create order risks with a display set to `false`. This property might be removed in future API versions. * Risk assessments will favor the most severe risk recommendation for an order. Keep this in mind when creating new order risks. \# ## Endpoints * [post](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#post-orders-order-id-risks) [/admin/api/latest/orders/{order\_​id}/risks.​json](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#post-orders-order-id-risks) Creates an order risk for an order [orderRiskAssessmentCreate](https://shopify.dev/docs/api/admin-graphql/latest/mutations/orderRiskAssessmentCreate?example=creates-an-order-risk-for-an-order) * [get](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#get-orders-order-id-risks) [/admin/api/latest/orders/{order\_​id}/risks.​json](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#get-orders-order-id-risks) Retrieves a list of all order risks for an order [order](https://shopify.dev/docs/api/admin-graphql/latest/queries/order) * [get](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#get-orders-order-id-risks-risk-id) [/admin/api/latest/orders/{order\_​id}/risks/{risk\_​id}.​json](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#get-orders-order-id-risks-risk-id) Retrieves a single order risk by its ID deprecated * [put](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#put-orders-order-id-risks-risk-id) [/admin/api/latest/orders/{order\_​id}/risks/{risk\_​id}.​json](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#put-orders-order-id-risks-risk-id) Updates an order risk deprecated * [del](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#delete-orders-order-id-risks-risk-id) [/admin/api/latest/orders/{order\_​id}/risks/{risk\_​id}.​json](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md#delete-orders-order-id-risks-risk-id) Deletes an order risk for an order deprecated *** ## The Order Risk resource ### Properties *** cause\_cancel ->[recommendation](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskSummary#field-OrderRiskSummary.fields.recommendation) Whether this order risk is severe enough to force the cancellation of the order. If `true`, then this order risk is included in the **Order canceled** message that's shown on the details page of the canceled order. **Note:** Setting this property to `true` does not cancel the order. Use this property only if your app automatically cancels the order using the [Order](https://shopify.dev/docs/admin-api/rest/reference/orders/order/#cancel-{{%20current_version%20}}) resource. If your app doesn't automatically cancel orders based on order risks, then leave this property set to `false`. *** checkout\_id deprecated The ID of the checkout that the order risk belongs to. *** display deprecated Whether the order risk is displayed on the order details page in the Shopify admin. If `false`, then this order risk is ignored when Shopify determines your app's overall risk level for the order. It's not advised to create order risks with a display set to `false`. **Note:** This property can't be changed after an order risk is created. This property might be removed in future API versions. *** id deprecated A unique numeric identifier for the order risk. *** merchant\_message deprecated The message that's displayed to the merchant to indicate the results of the fraud check. The message is displayed only if `display` is set to`true`. *** message ->[description](https://shopify.dev/docs/api/admin-graphql/latest/objects/RiskFact#field-RiskFact.fields.description) The message that's displayed to the merchant to indicate the results of the fraud check. The message is displayed only if `display` is set to`true`. *** order\_id ->[id](https://shopify.dev/docs/api/admin-graphql/latest/objects/Order#field-Order.fields.id) The ID of the order that the order risk belongs to. *** recommendation ->[recommendation](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskSummary#field-OrderRiskSummary.fields.recommendation) The recommended action given to the merchant. Valid values: * **cancel**: There is a high level of risk that this order is fraudulent. The merchant should cancel the order. * **investigate**: There is a medium level of risk that this order is fraudulent. The merchant should investigate the order. * **accept**: There is a low level of risk that this order is fraudulent. The order risk found no indication of fraud. *** score string ->[riskLevel](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskAssessment#field-OrderRiskAssessment.fields.riskLevel) **For internal use only**. A number between 0 and 1 that's assigned to the order. The closer the score is to 1, the more likely it is that the order is fraudulent. **Note:** There is no guarantee of stability in risk scores. Scores are not probabilities. The relationship between scores and the probability of fraud can vary over time and between risk providers. *** source ->[provider](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskAssessment#field-OrderRiskAssessment.fields.provider) The source of the order risk. *** {} ## The Order Risk resource ```json { "cause_cancel": false, "checkout_id": 901414060, "display": true, "id": 284138680, "merchant_message": "This order came from an anonymous proxy.", "message": "This order came from an anonymous proxy.", "order_id": 450789469, "recommendation": "cancel", "score": "1.0", "source": "External" } ``` *** ## postCreates an order risk for an order [orderRiskAssessmentCreate](https://shopify.dev/docs/api/admin-graphql/latest/mutations/orderRiskAssessmentCreate?example=creates-an-order-risk-for-an-order) Creates an order risk for an order ### Parameters *** api\_version string required *** order\_id string required *** ### Examples ### Create an order risk showing a fraud risk for proxy detection ### Path parameters order\_​id=​450789469 string required post ## /admin/api/2026-01/orders/450789469/risks.​json ```bash curl -d '{"risk":{"message":"This order came from an anonymous proxy","recommendation":"cancel","score":"1.0","source":"External","cause_cancel":true,"display":true}}' \ -X POST "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks.json" \ -H "X-Shopify-Access-Token: {access_token}" \ -H "Content-Type: application/json" ``` {} ## Response JSON ```json HTTP/1.1 201 Created { "risk": { "id": 1029151492, "order_id": 450789469, "checkout_id": 901414060, "source": "External", "score": "1.0", "recommendation": "cancel", "display": true, "cause_cancel": true, "message": "This order came from an anonymous proxy", "merchant_message": "This order came from an anonymous proxy" } } ``` ### examples * #### Create an order risk showing a fraud risk for proxy detection ##### ```curl curl -d '{"risk":{"message":"This order came from an anonymous proxy","recommendation":"cancel","score":"1.0","source":"External","cause_cancel":true,"display":true}}' \ -X POST "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks.json" \ -H "X-Shopify-Access-Token: {access_token}" \ -H "Content-Type: application/json" ``` ##### ```remix const { admin, session } = await authenticate.admin(request); const order_risk = new admin.rest.resources.OrderRisk({session: session}); order_risk.order_id = 450789469; order_risk.message = "This order came from an anonymous proxy"; order_risk.recommendation = "cancel"; order_risk.score = "1.0"; order_risk.source = "External"; order_risk.cause_cancel = true; order_risk.display = true; await order_risk.save({ update: true, }); ``` ##### ```ruby # Session is activated via Authentication test_session = ShopifyAPI::Context.active_session order_risk = ShopifyAPI::OrderRisk.new(session: test_session) order_risk.order_id = 450789469 order_risk.message = "This order came from an anonymous proxy" order_risk.recommendation = "cancel" order_risk.score = "1.0" order_risk.source = "External" order_risk.cause_cancel = true order_risk.display = true order_risk.save! ``` ##### ```node // Session is built by the OAuth process const order_risk = new shopify.rest.OrderRisk({session: session}); order_risk.order_id = 450789469; order_risk.message = "This order came from an anonymous proxy"; order_risk.recommendation = "cancel"; order_risk.score = "1.0"; order_risk.source = "External"; order_risk.cause_cancel = true; order_risk.display = true; await order_risk.save({ update: true, }); ``` #### response ```json HTTP/1.1 201 Created{"risk":{"id":1029151492,"order_id":450789469,"checkout_id":901414060,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order came from an anonymous proxy","merchant_message":"This order came from an anonymous proxy"}} ``` *** ## getRetrieves a list of all order risks for an order [order](https://shopify.dev/docs/api/admin-graphql/latest/queries/order) Retrieves a list of all order risks for an order. **Note:** This endpoint implements pagination by using links that are provided in the response header. To learn more, refer to [Make paginated requests to the REST Admin API](https://shopify.dev/api/usage/pagination-rest). ### Parameters *** api\_version string required *** order\_id string required *** ### Examples ### Retrieve all order risks for an order ### Path parameters order\_​id=​450789469 string required get ## /admin/api/2026-01/orders/450789469/risks.​json ```bash curl -X GET "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` {} ## Response JSON ```json HTTP/1.1 200 OK { "risks": [ { "id": 284138680, "order_id": 450789469, "checkout_id": null, "source": "External", "score": "1.0", "recommendation": "cancel", "display": true, "cause_cancel": true, "message": "This order was placed from a proxy IP", "merchant_message": "This order was placed from a proxy IP" }, { "id": 1029151491, "order_id": 450789469, "checkout_id": 901414060, "source": "External", "score": "1.0", "recommendation": "cancel", "display": true, "cause_cancel": true, "message": "This order came from an anonymous proxy", "merchant_message": "This order came from an anonymous proxy" } ] } ``` ### examples * #### Retrieve all order risks for an order ##### ```curl curl -X GET "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` ##### ```remix await admin.rest.resources.OrderRisk.all({ session: session, order_id: 450789469, }); ``` ##### ```ruby # Session is activated via Authentication test_session = ShopifyAPI::Context.active_session ShopifyAPI::OrderRisk.all( session: test_session, order_id: 450789469, ) ``` ##### ```node // Session is built by the OAuth process await shopify.rest.OrderRisk.all({ session: session, order_id: 450789469, }); ``` #### response ```json HTTP/1.1 200 OK{"risks":[{"id":284138680,"order_id":450789469,"checkout_id":null,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order was placed from a proxy IP","merchant_message":"This order was placed from a proxy IP"},{"id":1029151491,"order_id":450789469,"checkout_id":901414060,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order came from an anonymous proxy","merchant_message":"This order came from an anonymous proxy"}]} ``` *** ## getRetrieves a single order risk by its IDdeprecated Retrieves a single order risk by its ID ### Parameters *** api\_version string required *** order\_id string required *** risk\_id string required *** ### Examples ### Retrieve a single order risk get ## /admin/api/2026-01/orders/450789469/risks/284138680.​json ```bash curl -X GET "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` {} ## Response JSON ```json HTTP/1.1 200 OK { "risk": { "id": 284138680, "order_id": 450789469, "checkout_id": null, "source": "External", "score": "1.0", "recommendation": "cancel", "display": true, "cause_cancel": true, "message": "This order was placed from a proxy IP", "merchant_message": "This order was placed from a proxy IP" } } ``` ### examples * #### Retrieve a single order risk ##### ```curl curl -X GET "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` ##### ```remix await admin.rest.resources.OrderRisk.find({ session: session, order_id: 450789469, id: 284138680, }); ``` ##### ```ruby # Session is activated via Authentication test_session = ShopifyAPI::Context.active_session ShopifyAPI::OrderRisk.find( session: test_session, order_id: 450789469, id: 284138680, ) ``` ##### ```node // Session is built by the OAuth process await shopify.rest.OrderRisk.find({ session: session, order_id: 450789469, id: 284138680, }); ``` #### response ```json HTTP/1.1 200 OK{"risk":{"id":284138680,"order_id":450789469,"checkout_id":null,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order was placed from a proxy IP","merchant_message":"This order was placed from a proxy IP"}} ``` *** ## putUpdates an order riskdeprecated Updates an order risk **Note:** You cannot modify an order risk that was created by another application. ### Parameters *** api\_version string required *** order\_id string required *** risk\_id string required *** ### Examples ### Update an existing order risk for an order put ## /admin/api/2026-01/orders/450789469/risks/284138680.​json ```bash curl -d '{"risk":{"id":284138680,"message":"After further review, this is a legitimate order","recommendation":"accept","source":"External","cause_cancel":false,"score":"0.0"}}' \ -X PUT "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" \ -H "Content-Type: application/json" ``` {} ## Response JSON ```json HTTP/1.1 200 OK { "risk": { "order_id": 450789469, "cause_cancel": false, "message": "After further review, this is a legitimate order", "recommendation": "accept", "score": "0.0", "source": "External", "id": 284138680, "checkout_id": null, "display": true, "merchant_message": "After further review, this is a legitimate order" } } ``` ### examples * #### Update an existing order risk for an order ##### ```curl curl -d '{"risk":{"id":284138680,"message":"After further review, this is a legitimate order","recommendation":"accept","source":"External","cause_cancel":false,"score":"0.0"}}' \ -X PUT "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" \ -H "Content-Type: application/json" ``` ##### ```remix const { admin, session } = await authenticate.admin(request); const order_risk = new admin.rest.resources.OrderRisk({session: session}); order_risk.order_id = 450789469; order_risk.id = 284138680; order_risk.message = "After further review, this is a legitimate order"; order_risk.recommendation = "accept"; order_risk.source = "External"; order_risk.cause_cancel = false; order_risk.score = "0.0"; await order_risk.save({ update: true, }); ``` ##### ```ruby # Session is activated via Authentication test_session = ShopifyAPI::Context.active_session order_risk = ShopifyAPI::OrderRisk.new(session: test_session) order_risk.order_id = 450789469 order_risk.id = 284138680 order_risk.message = "After further review, this is a legitimate order" order_risk.recommendation = "accept" order_risk.source = "External" order_risk.cause_cancel = false order_risk.score = "0.0" order_risk.save! ``` ##### ```node // Session is built by the OAuth process const order_risk = new shopify.rest.OrderRisk({session: session}); order_risk.order_id = 450789469; order_risk.id = 284138680; order_risk.message = "After further review, this is a legitimate order"; order_risk.recommendation = "accept"; order_risk.source = "External"; order_risk.cause_cancel = false; order_risk.score = "0.0"; await order_risk.save({ update: true, }); ``` #### response ```json HTTP/1.1 200 OK{"risk":{"order_id":450789469,"cause_cancel":false,"message":"After further review, this is a legitimate order","recommendation":"accept","score":"0.0","source":"External","id":284138680,"checkout_id":null,"display":true,"merchant_message":"After further review, this is a legitimate order"}} ``` *** ## delDeletes an order risk for an orderdeprecated Deletes an order risk for an order **Note:** You cannot delete an order risk that was created by another application. ### Parameters *** api\_version string required *** order\_id string required *** risk\_id string required *** ### Examples ### Delete an order risk for an order del ## /admin/api/2026-01/orders/450789469/risks/284138680.​json ```bash curl -X DELETE "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` {} ## Response JSON ```json HTTP/1.1 200 OK {} ``` ### examples * #### Delete an order risk for an order ##### ```curl curl -X DELETE "https://your-development-store.myshopify.com/admin/api/2026-01/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` ##### ```remix await admin.rest.resources.OrderRisk.delete({ session: session, order_id: 450789469, id: 284138680, }); ``` ##### ```ruby # Session is activated via Authentication test_session = ShopifyAPI::Context.active_session ShopifyAPI::OrderRisk.delete( session: test_session, order_id: 450789469, id: 284138680, ) ``` ##### ```node // Session is built by the OAuth process await shopify.rest.OrderRisk.delete({ session: session, order_id: 450789469, id: 284138680, }); ``` #### response ```json HTTP/1.1 200 OK{} ```