--- title: Order Risk description: Display a fraud analysis and recommendations on the details page of an order. api_version: 2025-10 api_name: admin-rest api_type: rest source_url: html: https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk md: https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk.md --- The REST Admin API is a legacy API as of October 1, 2024. Starting April 1, 2025, all new public apps must be built exclusively with the [GraphQL Admin API](https://shopify.dev/docs/api/admin-graphql). For details and migration steps, visit our [migration guide](https://shopify.dev/docs/apps/build/graphql/migrate). # Order Risk Requires `orders` access scope. The Order Risk resource allows you to create, retrieve, update, and delete order risks. Order risks represent the results of fraud checks that have been completed for an order. #### Usage notes Caution As of version 2024-04 this resource is deprecated. Risk Assessments can be queried via the [Order Risk Assessment API](https://shopify.dev/docs/api/admin-graphql/2024-04/objects/OrderRiskAssessment). * This resource is deprecated in version 2024-04. Please refer to the GraphQL api for [Order#field-order-risk](https://shopify.dev/docs/api/admin-graphql/2024-04/objects/Order#field-order-risk) * When determining an order's risk level, Shopify takes into account only those order risks that have the display property set to `true`. Orders with a display set to `false` will not be returned through the Order Risk resource. It's not advised to create order risks with a display set to `false`. This property might be removed in future API versions. * Risk assessments will favor the most severe risk recommendation for an order. Keep this in mind when creating new order risks. \# ## Endpoints * [post](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk#post-orders-order-id-risks) [/admin/api/latest/orders/{order\_​id}/risks.​json](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk#post-orders-order-id-risks) Creates an order risk for an order [orderRiskAssessmentCreate](https://shopify.dev/docs/api/admin-graphql/latest/mutations/orderRiskAssessmentCreate?example=creates-an-order-risk-for-an-order) * [get](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk#get-orders-order-id-risks) [/admin/api/latest/orders/{order\_​id}/risks.​json](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk#get-orders-order-id-risks) Retrieves a list of all order risks for an order [order](https://shopify.dev/docs/api/admin-graphql/latest/queries/order) * [get](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk#get-orders-order-id-risks-risk-id) [/admin/api/latest/orders/{order\_​id}/risks/{risk\_​id}.​json](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk#get-orders-order-id-risks-risk-id) Retrieves a single order risk by its ID deprecated * [put](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk#put-orders-order-id-risks-risk-id) [/admin/api/latest/orders/{order\_​id}/risks/{risk\_​id}.​json](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk#put-orders-order-id-risks-risk-id) Updates an order risk deprecated * [del](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk#delete-orders-order-id-risks-risk-id) [/admin/api/latest/orders/{order\_​id}/risks/{risk\_​id}.​json](https://shopify.dev/docs/api/admin-rest/latest/resources/order-risk#delete-orders-order-id-risks-risk-id) Deletes an order risk for an order deprecated *** ## The Order Risk resource ### Properties *** cause\_cancel ->[recommendation](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskSummary#field-OrderRiskSummary.fields.recommendation) Whether this order risk is severe enough to force the cancellation of the order. If `true`, then this order risk is included in the **Order canceled** message that's shown on the details page of the canceled order. **Note:** Setting this property to `true` does not cancel the order. Use this property only if your app automatically cancels the order using the [Order](https://shopify.dev/docs/admin-api/rest/reference/orders/order/#cancel-{{%20current_version%20}}) resource. If your app doesn't automatically cancel orders based on order risks, then leave this property set to `false`. *** checkout\_id deprecated The ID of the checkout that the order risk belongs to. *** display deprecated Whether the order risk is displayed on the order details page in the Shopify admin. If `false`, then this order risk is ignored when Shopify determines your app's overall risk level for the order. It's not advised to create order risks with a display set to `false`. Note This property can't be changed after an order risk is created. This property might be removed in future API versions. *** id deprecated A unique numeric identifier for the order risk. *** merchant\_message deprecated The message that's displayed to the merchant to indicate the results of the fraud check. The message is displayed only if `display` is set to`true`. *** message ->[description](https://shopify.dev/docs/api/admin-graphql/latest/objects/RiskFact#field-RiskFact.fields.description) The message that's displayed to the merchant to indicate the results of the fraud check. The message is displayed only if `display` is set to`true`. *** order\_id ->[id](https://shopify.dev/docs/api/admin-graphql/latest/objects/Order#field-Order.fields.id) The ID of the order that the order risk belongs to. *** recommendation ->[recommendation](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskSummary#field-OrderRiskSummary.fields.recommendation) The recommended action given to the merchant. Valid values: Show recommendation properties * **cancel**: There is a high level of risk that this order is fraudulent. The merchant should cancel the order. * **investigate**: There is a medium level of risk that this order is fraudulent. The merchant should investigate the order. * **accept**: There is a low level of risk that this order is fraudulent. The order risk found no indication of fraud. *** score string ->[riskLevel](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskAssessment#field-OrderRiskAssessment.fields.riskLevel) **For internal use only**. A number between 0 and 1 that's assigned to the order. The closer the score is to 1, the more likely it is that the order is fraudulent. Note There is no guarantee of stability in risk scores. Scores are not probabilities. The relationship between scores and the probability of fraud can vary over time and between risk providers. *** source ->[provider](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskAssessment#field-OrderRiskAssessment.fields.provider) The source of the order risk. *** {} ## The Order Risk resource ```json { "cause_cancel": false, "checkout_id": 901414060, "display": true, "id": 284138680, "merchant_message": "This order came from an anonymous proxy.", "message": "This order came from an anonymous proxy.", "order_id": 450789469, "recommendation": "cancel", "score": "1.0", "source": "External" } ``` *** ## postCreates an order risk for an order [orderRiskAssessmentCreate](https://shopify.dev/docs/api/admin-graphql/latest/mutations/orderRiskAssessmentCreate?example=creates-an-order-risk-for-an-order) Creates an order risk for an order ### Parameters *** api\_version string required *** order\_id string required *** ### Examples Create an order risk showing a fraud risk for proxy detection Path parameters order\_​id=​450789469 string required post ## /admin/api/2025-10/orders/450789469/risks.​json ```bash curl -d '{"risk":{"message":"This order came from an anonymous proxy","recommendation":"cancel","score":"1.0","source":"External","cause_cancel":true,"display":true}}' \ -X POST "https://your-development-store.myshopify.com/admin/api/2025-10/orders/450789469/risks.json" \ -H "X-Shopify-Access-Token: {access_token}" \ -H "Content-Type: application/json" ``` {} ## Response JSON ```json HTTP/1.1 201 Created { "risk": { "id": 1029151489, "order_id": 450789469, "checkout_id": 901414060, "source": "External", "score": "1.0", "recommendation": "cancel", "display": true, "cause_cancel": true, "message": "This order came from an anonymous proxy", "merchant_message": "This order came from an anonymous proxy" } } ``` ### examples * #### Create an order risk showing a fraud risk for proxy detection ##### ```curl curl -d '{"risk":{"message":"This order came from an anonymous proxy","recommendation":"cancel","score":"1.0","source":"External","cause_cancel":true,"display":true}}' \ -X POST "https://your-development-store.myshopify.com/admin/api/2025-10/orders/450789469/risks.json" \ -H "X-Shopify-Access-Token: {access_token}" \ -H "Content-Type: application/json" ``` ##### ```remix const { admin, session } = await authenticate.admin(request); const order_risk = new admin.rest.resources.OrderRisk({session: session}); order_risk.order_id = 450789469; order_risk.message = "This order came from an anonymous proxy"; order_risk.recommendation = "cancel"; order_risk.score = "1.0"; order_risk.source = "External"; order_risk.cause_cancel = true; order_risk.display = true; await order_risk.save({ update: true, }); ``` ##### ```ruby # Session is activated via Authentication test_session = ShopifyAPI::Context.active_session order_risk = ShopifyAPI::OrderRisk.new(session: test_session) order_risk.order_id = 450789469 order_risk.message = "This order came from an anonymous proxy" order_risk.recommendation = "cancel" order_risk.score = "1.0" order_risk.source = "External" order_risk.cause_cancel = true order_risk.display = true order_risk.save! ``` ##### ```node // Session is built by the OAuth process const order_risk = new shopify.rest.OrderRisk({session: session}); order_risk.order_id = 450789469; order_risk.message = "This order came from an anonymous proxy"; order_risk.recommendation = "cancel"; order_risk.score = "1.0"; order_risk.source = "External"; order_risk.cause_cancel = true; order_risk.display = true; await order_risk.save({ update: true, }); ``` #### response ```json HTTP/1.1 201 Created{"risk":{"id":1029151489,"order_id":450789469,"checkout_id":901414060,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order came from an anonymous proxy","merchant_message":"This order came from an anonymous proxy"}} ``` *** ## getRetrieves a list of all order risks for an order [order](https://shopify.dev/docs/api/admin-graphql/latest/queries/order) Retrieves a list of all order risks for an order. **Note:** This endpoint implements pagination by using links that are provided in the response header. To learn more, refer to [Make paginated requests to the REST Admin API](https://shopify.dev/api/usage/pagination-rest). ### Parameters *** api\_version string required *** order\_id string required *** ### Examples Retrieve all order risks for an order Path parameters order\_​id=​450789469 string required get ## /admin/api/2025-10/orders/450789469/risks.​json ```bash curl -X GET "https://your-development-store.myshopify.com/admin/api/2025-10/orders/450789469/risks.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` {} ## Response JSON ```json HTTP/1.1 200 OK { "risks": [ { "id": 284138680, "order_id": 450789469, "checkout_id": null, "source": "External", "score": "1.0", "recommendation": "cancel", "display": true, "cause_cancel": true, "message": "This order was placed from a proxy IP", "merchant_message": "This order was placed from a proxy IP" }, { "id": 1029151490, "order_id": 450789469, "checkout_id": 901414060, "source": "External", "score": "1.0", "recommendation": "cancel", "display": true, "cause_cancel": true, "message": "This order came from an anonymous proxy", "merchant_message": "This order came from an anonymous proxy" } ] } ``` ### examples * #### Retrieve all order risks for an order ##### ```curl curl -X GET "https://your-development-store.myshopify.com/admin/api/2025-10/orders/450789469/risks.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` ##### ```remix await admin.rest.resources.OrderRisk.all({ session: session, order_id: 450789469, }); ``` ##### ```ruby # Session is activated via Authentication test_session = ShopifyAPI::Context.active_session ShopifyAPI::OrderRisk.all( session: test_session, order_id: 450789469, ) ``` ##### ```node // Session is built by the OAuth process await shopify.rest.OrderRisk.all({ session: session, order_id: 450789469, }); ``` #### response ```json HTTP/1.1 200 OK{"risks":[{"id":284138680,"order_id":450789469,"checkout_id":null,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order was placed from a proxy IP","merchant_message":"This order was placed from a proxy IP"},{"id":1029151490,"order_id":450789469,"checkout_id":901414060,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order came from an anonymous proxy","merchant_message":"This order came from an anonymous proxy"}]} ``` *** ## getRetrieves a single order risk by its IDdeprecated Retrieves a single order risk by its ID ### Parameters *** api\_version string required *** order\_id string required *** risk\_id string required *** ### Examples Retrieve a single order risk get ## /admin/api/2025-10/orders/450789469/risks/284138680.​json ```bash curl -X GET "https://your-development-store.myshopify.com/admin/api/2025-10/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` {} ## Response JSON ```json HTTP/1.1 200 OK { "risk": { "id": 284138680, "order_id": 450789469, "checkout_id": null, "source": "External", "score": "1.0", "recommendation": "cancel", "display": true, "cause_cancel": true, "message": "This order was placed from a proxy IP", "merchant_message": "This order was placed from a proxy IP" } } ``` ### examples * #### Retrieve a single order risk ##### ```curl curl -X GET "https://your-development-store.myshopify.com/admin/api/2025-10/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` ##### ```remix await admin.rest.resources.OrderRisk.find({ session: session, order_id: 450789469, id: 284138680, }); ``` ##### ```ruby # Session is activated via Authentication test_session = ShopifyAPI::Context.active_session ShopifyAPI::OrderRisk.find( session: test_session, order_id: 450789469, id: 284138680, ) ``` ##### ```node // Session is built by the OAuth process await shopify.rest.OrderRisk.find({ session: session, order_id: 450789469, id: 284138680, }); ``` #### response ```json HTTP/1.1 200 OK{"risk":{"id":284138680,"order_id":450789469,"checkout_id":null,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order was placed from a proxy IP","merchant_message":"This order was placed from a proxy IP"}} ``` *** ## putUpdates an order riskdeprecated Updates an order risk Note You cannot modify an order risk that was created by another application. ### Parameters *** api\_version string required *** order\_id string required *** risk\_id string required *** ### Examples Update an existing order risk for an order put ## /admin/api/2025-10/orders/450789469/risks/284138680.​json ```bash curl -d '{"risk":{"id":284138680,"message":"After further review, this is a legitimate order","recommendation":"accept","source":"External","cause_cancel":false,"score":"0.0"}}' \ -X PUT "https://your-development-store.myshopify.com/admin/api/2025-10/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" \ -H "Content-Type: application/json" ``` {} ## Response JSON ```json HTTP/1.1 200 OK { "risk": { "order_id": 450789469, "cause_cancel": false, "message": "After further review, this is a legitimate order", "recommendation": "accept", "score": "0.0", "source": "External", "id": 284138680, "checkout_id": null, "display": true, "merchant_message": "After further review, this is a legitimate order" } } ``` ### examples * #### Update an existing order risk for an order ##### ```curl curl -d '{"risk":{"id":284138680,"message":"After further review, this is a legitimate order","recommendation":"accept","source":"External","cause_cancel":false,"score":"0.0"}}' \ -X PUT "https://your-development-store.myshopify.com/admin/api/2025-10/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" \ -H "Content-Type: application/json" ``` ##### ```remix const { admin, session } = await authenticate.admin(request); const order_risk = new admin.rest.resources.OrderRisk({session: session}); order_risk.order_id = 450789469; order_risk.id = 284138680; order_risk.message = "After further review, this is a legitimate order"; order_risk.recommendation = "accept"; order_risk.source = "External"; order_risk.cause_cancel = false; order_risk.score = "0.0"; await order_risk.save({ update: true, }); ``` ##### ```ruby # Session is activated via Authentication test_session = ShopifyAPI::Context.active_session order_risk = ShopifyAPI::OrderRisk.new(session: test_session) order_risk.order_id = 450789469 order_risk.id = 284138680 order_risk.message = "After further review, this is a legitimate order" order_risk.recommendation = "accept" order_risk.source = "External" order_risk.cause_cancel = false order_risk.score = "0.0" order_risk.save! ``` ##### ```node // Session is built by the OAuth process const order_risk = new shopify.rest.OrderRisk({session: session}); order_risk.order_id = 450789469; order_risk.id = 284138680; order_risk.message = "After further review, this is a legitimate order"; order_risk.recommendation = "accept"; order_risk.source = "External"; order_risk.cause_cancel = false; order_risk.score = "0.0"; await order_risk.save({ update: true, }); ``` #### response ```json HTTP/1.1 200 OK{"risk":{"order_id":450789469,"cause_cancel":false,"message":"After further review, this is a legitimate order","recommendation":"accept","score":"0.0","source":"External","id":284138680,"checkout_id":null,"display":true,"merchant_message":"After further review, this is a legitimate order"}} ``` *** ## delDeletes an order risk for an orderdeprecated Deletes an order risk for an order Note You cannot delete an order risk that was created by another application. ### Parameters *** api\_version string required *** order\_id string required *** risk\_id string required *** ### Examples Delete an order risk for an order del ## /admin/api/2025-10/orders/450789469/risks/284138680.​json ```bash curl -X DELETE "https://your-development-store.myshopify.com/admin/api/2025-10/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` {} ## Response JSON ```json HTTP/1.1 200 OK {} ``` ### examples * #### Delete an order risk for an order ##### ```curl curl -X DELETE "https://your-development-store.myshopify.com/admin/api/2025-10/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` ##### ```remix await admin.rest.resources.OrderRisk.delete({ session: session, order_id: 450789469, id: 284138680, }); ``` ##### ```ruby # Session is activated via Authentication test_session = ShopifyAPI::Context.active_session ShopifyAPI::OrderRisk.delete( session: test_session, order_id: 450789469, id: 284138680, ) ``` ##### ```node // Session is built by the OAuth process await shopify.rest.OrderRisk.delete({ session: session, order_id: 450789469, id: 284138680, }); ``` #### response ```json HTTP/1.1 200 OK{} ```