--- title: Order Risk description: Display a fraud analysis and recommendations on the details page of an order. api_version: unstable api_name: admin-rest api_type: rest source_url: html: https://shopify.dev/docs/api/admin-rest/unstable/resources/order-risk md: https://shopify.dev/docs/api/admin-rest/unstable/resources/order-risk.md --- ![](https://shopify.dev/images/logos/GraphQL.svg)![](https://shopify.dev/images/logos/GraphQL-dark.svg) The REST Admin API is a legacy API as of October 1, 2024. Starting April 1, 2025, all new public apps must be built exclusively with the [GraphQL Admin API](https://shopify.dev/docs/api/admin-graphql). For details and migration steps, visit our [migration guide](https://shopify.dev/docs/apps/build/graphql/migrate). # Order Risk Requires `orders` access scope. The Order Risk resource allows you to create, retrieve, update, and delete order risks. Order risks represent the results of fraud checks that have been completed for an order. #### Usage notes Caution As of version 2024-04 this resource is deprecated. Risk Assessments can be queried via the [Order Risk Assessment API](https://shopify.dev/docs/api/admin-graphql/2024-04/objects/OrderRiskAssessment). * This resource is deprecated in version 2024-04. Please refer to the GraphQL api for [Order#field-order-risk](https://shopify.dev/docs/api/admin-graphql/2024-04/objects/Order#field-order-risk) * When determining an order's risk level, Shopify takes into account only those order risks that have the display property set to `true`. Orders with a display set to `false` will not be returned through the Order Risk resource. It's not advised to create order risks with a display set to `false`. This property might be removed in future API versions. * Risk assessments will favor the most severe risk recommendation for an order. Keep this in mind when creating new order risks. \# ## Endpoints * [post](https://shopify.dev/docs/api/admin-rest/unstable/resources/order-risk#post-orders-order-id-risks) [/admin/api/unstable/orders/{order\_​id}/risks.​json](https://shopify.dev/docs/api/admin-rest/unstable/resources/order-risk#post-orders-order-id-risks) Creates an order risk for an order [![](https://shopify.dev/images/logos/GraphQL.svg)![](https://shopify.dev/images/logos/GraphQL-dark.svg)](https://shopify.dev/docs/api/admin-graphql/latest/mutations/orderRiskAssessmentCreate?example=creates-an-order-risk-for-an-order) [orderRiskAssessmentCreate](https://shopify.dev/docs/api/admin-graphql/latest/mutations/orderRiskAssessmentCreate?example=creates-an-order-risk-for-an-order) * [get](https://shopify.dev/docs/api/admin-rest/unstable/resources/order-risk#get-orders-order-id-risks) [/admin/api/unstable/orders/{order\_​id}/risks.​json](https://shopify.dev/docs/api/admin-rest/unstable/resources/order-risk#get-orders-order-id-risks) Retrieves a list of all order risks for an order [![](https://shopify.dev/images/logos/GraphQL.svg)![](https://shopify.dev/images/logos/GraphQL-dark.svg)](https://shopify.dev/docs/api/admin-graphql/latest/queries/order) [order](https://shopify.dev/docs/api/admin-graphql/latest/queries/order) * [get](https://shopify.dev/docs/api/admin-rest/unstable/resources/order-risk#get-orders-order-id-risks-risk-id) [/admin/api/unstable/orders/{order\_​id}/risks/{risk\_​id}.​json](https://shopify.dev/docs/api/admin-rest/unstable/resources/order-risk#get-orders-order-id-risks-risk-id) Retrieves a single order risk by its ID deprecated * [put](https://shopify.dev/docs/api/admin-rest/unstable/resources/order-risk#put-orders-order-id-risks-risk-id) [/admin/api/unstable/orders/{order\_​id}/risks/{risk\_​id}.​json](https://shopify.dev/docs/api/admin-rest/unstable/resources/order-risk#put-orders-order-id-risks-risk-id) Updates an order risk deprecated * [del](https://shopify.dev/docs/api/admin-rest/unstable/resources/order-risk#delete-orders-order-id-risks-risk-id) [/admin/api/unstable/orders/{order\_​id}/risks/{risk\_​id}.​json](https://shopify.dev/docs/api/admin-rest/unstable/resources/order-risk#delete-orders-order-id-risks-risk-id) Deletes an order risk for an order deprecated *** ## The Order Risk resource ### Properties *** cause\_cancel -> [![](https://shopify.dev/images/logos/GraphQL.svg)![](https://shopify.dev/images/logos/GraphQL-dark.svg)](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskSummary#field-OrderRiskSummary.fields.recommendation) [recommendation](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskSummary#field-OrderRiskSummary.fields.recommendation) Whether this order risk is severe enough to force the cancellation of the order. If `true`, then this order risk is included in the **Order canceled** message that's shown on the details page of the canceled order. **Note:** Setting this property to `true` does not cancel the order. Use this property only if your app automatically cancels the order using the [Order](https://shopify.dev/docs/admin-api/rest/reference/orders/order/#cancel-{{%20current_version%20}}) resource. If your app doesn't automatically cancel orders based on order risks, then leave this property set to `false`. *** checkout\_id deprecated The ID of the checkout that the order risk belongs to. *** display deprecated Whether the order risk is displayed on the order details page in the Shopify admin. If `false`, then this order risk is ignored when Shopify determines your app's overall risk level for the order. It's not advised to create order risks with a display set to `false`. Note This property can't be changed after an order risk is created. This property might be removed in future API versions. *** id deprecated A unique numeric identifier for the order risk. *** merchant\_message deprecated The message that's displayed to the merchant to indicate the results of the fraud check. The message is displayed only if `display` is set to`true`. *** message -> [![](https://shopify.dev/images/logos/GraphQL.svg)![](https://shopify.dev/images/logos/GraphQL-dark.svg)](https://shopify.dev/docs/api/admin-graphql/latest/objects/RiskFact#field-RiskFact.fields.description) [description](https://shopify.dev/docs/api/admin-graphql/latest/objects/RiskFact#field-RiskFact.fields.description) The message that's displayed to the merchant to indicate the results of the fraud check. The message is displayed only if `display` is set to`true`. *** order\_id -> [![](https://shopify.dev/images/logos/GraphQL.svg)![](https://shopify.dev/images/logos/GraphQL-dark.svg)](https://shopify.dev/docs/api/admin-graphql/latest/objects/Order#field-Order.fields.id) [id](https://shopify.dev/docs/api/admin-graphql/latest/objects/Order#field-Order.fields.id) The ID of the order that the order risk belongs to. *** recommendation -> [![](https://shopify.dev/images/logos/GraphQL.svg)![](https://shopify.dev/images/logos/GraphQL-dark.svg)](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskSummary#field-OrderRiskSummary.fields.recommendation) [recommendation](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskSummary#field-OrderRiskSummary.fields.recommendation) The recommended action given to the merchant. Valid values: Show recommendation properties * **cancel**: There is a high level of risk that this order is fraudulent. The merchant should cancel the order. * **investigate**: There is a medium level of risk that this order is fraudulent. The merchant should investigate the order. * **accept**: There is a low level of risk that this order is fraudulent. The order risk found no indication of fraud. *** score string -> [![](https://shopify.dev/images/logos/GraphQL.svg)![](https://shopify.dev/images/logos/GraphQL-dark.svg)](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskAssessment#field-OrderRiskAssessment.fields.riskLevel) [riskLevel](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskAssessment#field-OrderRiskAssessment.fields.riskLevel) **For internal use only**. A number between 0 and 1 that's assigned to the order. The closer the score is to 1, the more likely it is that the order is fraudulent. Note There is no guarantee of stability in risk scores. Scores are not probabilities. The relationship between scores and the probability of fraud can vary over time and between risk providers. *** source -> [![](https://shopify.dev/images/logos/GraphQL.svg)![](https://shopify.dev/images/logos/GraphQL-dark.svg)](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskAssessment#field-OrderRiskAssessment.fields.provider) [provider](https://shopify.dev/docs/api/admin-graphql/latest/objects/OrderRiskAssessment#field-OrderRiskAssessment.fields.provider) The source of the order risk. *** {} ## The Order Risk resource ```json { "cause_cancel": false, "checkout_id": 901414060, "display": true, "id": 284138680, "merchant_message": "This order came from an anonymous proxy.", "message": "This order came from an anonymous proxy.", "order_id": 450789469, "recommendation": "cancel", "score": "1.0", "source": "External" } ``` *** ## postCreates an order risk for an order [![](https://shopify.dev/images/logos/GraphQL.svg)![](https://shopify.dev/images/logos/GraphQL-dark.svg)](https://shopify.dev/docs/api/admin-graphql/latest/mutations/orderRiskAssessmentCreate?example=creates-an-order-risk-for-an-order) [orderRiskAssessmentCreate](https://shopify.dev/docs/api/admin-graphql/latest/mutations/orderRiskAssessmentCreate?example=creates-an-order-risk-for-an-order) Creates an order risk for an order ### Parameters *** api\_version string required *** order\_id string required *** ### Examples Create an order risk showing a fraud risk for proxy detection Path parameters order\_​id=​450789469 string required post ## /admin/api/unstable/orders/450789469/risks.​json ```bash curl -d '{"risk":{"message":"This order came from an anonymous proxy","recommendation":"cancel","score":"1.0","source":"External","cause_cancel":true,"display":true}}' \ -X POST "https://your-development-store.myshopify.com/admin/api/unstable/orders/450789469/risks.json" \ -H "X-Shopify-Access-Token: {access_token}" \ -H "Content-Type: application/json" ``` {} ## Response JSON ```json HTTP/1.1 201 Created { "risk": { "id": 1029151489, "order_id": 450789469, "checkout_id": 901414060, "source": "External", "score": "1.0", "recommendation": "cancel", "display": true, "cause_cancel": true, "message": "This order came from an anonymous proxy", "merchant_message": "This order came from an anonymous proxy" } } ``` ### examples * #### Create an order risk showing a fraud risk for proxy detection ##### ```curl curl -d '{"risk":{"message":"This order came from an anonymous proxy","recommendation":"cancel","score":"1.0","source":"External","cause_cancel":true,"display":true}}' \ -X POST "https://your-development-store.myshopify.com/admin/api/unstable/orders/450789469/risks.json" \ -H "X-Shopify-Access-Token: {access_token}" \ -H "Content-Type: application/json" ``` ##### ```remix import { DataType } from '@shopify/shopify-api'; const client = new shopify.clients.Rest({session}); const data = await client.post({ path: 'orders/450789469/risks', data: {"risk":{"message":"This order came from an anonymous proxy","recommendation":"cancel","score":"1.0","source":"External","cause_cancel":true,"display":true}}, type: DataType.JSON, }); ``` ##### ```ruby session = ShopifyAPI::Auth::Session.new( shop: "your-development-store.myshopify.com", access_token: access_token ) client = ShopifyAPI::Clients::Rest::Admin.new( session: session ) response = client.post( path: 'orders/450789469/risks', body: { "risk": { "message": "This order came from an anonymous proxy", "recommendation": "cancel", "score": "1.0", "source": "External", "cause_cancel": true, "display": true } }, ) ``` ##### ```node import { DataType } from '@shopify/shopify-api'; const client = new shopify.clients.Rest({session}); const data = await client.post({ path: 'orders/450789469/risks', data: {"risk":{"message":"This order came from an anonymous proxy","recommendation":"cancel","score":"1.0","source":"External","cause_cancel":true,"display":true}}, type: DataType.JSON, }); ``` #### response ```json HTTP/1.1 201 Created{"risk":{"id":1029151489,"order_id":450789469,"checkout_id":901414060,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order came from an anonymous proxy","merchant_message":"This order came from an anonymous proxy"}} ``` *** ## getRetrieves a list of all order risks for an order [![](https://shopify.dev/images/logos/GraphQL.svg)![](https://shopify.dev/images/logos/GraphQL-dark.svg)](https://shopify.dev/docs/api/admin-graphql/latest/queries/order) [order](https://shopify.dev/docs/api/admin-graphql/latest/queries/order) Retrieves a list of all order risks for an order. **Note:** This endpoint implements pagination by using links that are provided in the response header. To learn more, refer to [Make paginated requests to the REST Admin API](https://shopify.dev/api/usage/pagination-rest). ### Parameters *** api\_version string required *** order\_id string required *** ### Examples Retrieve all order risks for an order Path parameters order\_​id=​450789469 string required get ## /admin/api/unstable/orders/450789469/risks.​json ```bash curl -X GET "https://your-development-store.myshopify.com/admin/api/unstable/orders/450789469/risks.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` {} ## Response JSON ```json HTTP/1.1 200 OK { "risks": [ { "id": 284138680, "order_id": 450789469, "checkout_id": null, "source": "External", "score": "1.0", "recommendation": "cancel", "display": true, "cause_cancel": true, "message": "This order was placed from a proxy IP", "merchant_message": "This order was placed from a proxy IP" }, { "id": 1029151490, "order_id": 450789469, "checkout_id": 901414060, "source": "External", "score": "1.0", "recommendation": "cancel", "display": true, "cause_cancel": true, "message": "This order came from an anonymous proxy", "merchant_message": "This order came from an anonymous proxy" } ] } ``` ### examples * #### Retrieve all order risks for an order ##### ```curl curl -X GET "https://your-development-store.myshopify.com/admin/api/unstable/orders/450789469/risks.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` ##### ```remix const client = new shopify.clients.Rest({session}); const data = await client.get({ path: 'orders/450789469/risks', }); ``` ##### ```ruby session = ShopifyAPI::Auth::Session.new( shop: "your-development-store.myshopify.com", access_token: access_token ) client = ShopifyAPI::Clients::Rest::Admin.new( session: session ) response = client.get( path: 'orders/450789469/risks', ) ``` ##### ```node const client = new shopify.clients.Rest({session}); const data = await client.get({ path: 'orders/450789469/risks', }); ``` #### response ```json HTTP/1.1 200 OK{"risks":[{"id":284138680,"order_id":450789469,"checkout_id":null,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order was placed from a proxy IP","merchant_message":"This order was placed from a proxy IP"},{"id":1029151490,"order_id":450789469,"checkout_id":901414060,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order came from an anonymous proxy","merchant_message":"This order came from an anonymous proxy"}]} ``` *** ## getRetrieves a single order risk by its IDdeprecated Retrieves a single order risk by its ID ### Parameters *** api\_version string required *** order\_id string required *** risk\_id string required *** ### Examples Retrieve a single order risk get ## /admin/api/unstable/orders/450789469/risks/284138680.​json ```bash curl -X GET "https://your-development-store.myshopify.com/admin/api/unstable/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` {} ## Response JSON ```json HTTP/1.1 200 OK { "risk": { "id": 284138680, "order_id": 450789469, "checkout_id": null, "source": "External", "score": "1.0", "recommendation": "cancel", "display": true, "cause_cancel": true, "message": "This order was placed from a proxy IP", "merchant_message": "This order was placed from a proxy IP" } } ``` ### examples * #### Retrieve a single order risk ##### ```curl curl -X GET "https://your-development-store.myshopify.com/admin/api/unstable/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` ##### ```remix const client = new shopify.clients.Rest({session}); const data = await client.get({ path: 'orders/450789469/risks/284138680', }); ``` ##### ```ruby session = ShopifyAPI::Auth::Session.new( shop: "your-development-store.myshopify.com", access_token: access_token ) client = ShopifyAPI::Clients::Rest::Admin.new( session: session ) response = client.get( path: 'orders/450789469/risks/284138680', ) ``` ##### ```node const client = new shopify.clients.Rest({session}); const data = await client.get({ path: 'orders/450789469/risks/284138680', }); ``` #### response ```json HTTP/1.1 200 OK{"risk":{"id":284138680,"order_id":450789469,"checkout_id":null,"source":"External","score":"1.0","recommendation":"cancel","display":true,"cause_cancel":true,"message":"This order was placed from a proxy IP","merchant_message":"This order was placed from a proxy IP"}} ``` *** ## putUpdates an order riskdeprecated Updates an order risk Note You cannot modify an order risk that was created by another application. ### Parameters *** api\_version string required *** order\_id string required *** risk\_id string required *** ### Examples Update an existing order risk for an order put ## /admin/api/unstable/orders/450789469/risks/284138680.​json ```bash curl -d '{"risk":{"id":284138680,"message":"After further review, this is a legitimate order","recommendation":"accept","source":"External","cause_cancel":false,"score":"0.0"}}' \ -X PUT "https://your-development-store.myshopify.com/admin/api/unstable/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" \ -H "Content-Type: application/json" ``` {} ## Response JSON ```json HTTP/1.1 200 OK { "risk": { "order_id": 450789469, "cause_cancel": false, "message": "After further review, this is a legitimate order", "recommendation": "accept", "score": "0.0", "source": "External", "id": 284138680, "checkout_id": null, "display": true, "merchant_message": "After further review, this is a legitimate order" } } ``` ### examples * #### Update an existing order risk for an order ##### ```curl curl -d '{"risk":{"id":284138680,"message":"After further review, this is a legitimate order","recommendation":"accept","source":"External","cause_cancel":false,"score":"0.0"}}' \ -X PUT "https://your-development-store.myshopify.com/admin/api/unstable/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" \ -H "Content-Type: application/json" ``` ##### ```remix import { DataType } from '@shopify/shopify-api'; const client = new shopify.clients.Rest({session}); const data = await client.put({ path: 'orders/450789469/risks/284138680', data: {"risk":{"id":284138680,"message":"After further review, this is a legitimate order","recommendation":"accept","source":"External","cause_cancel":false,"score":"0.0"}}, type: DataType.JSON, }); ``` ##### ```ruby session = ShopifyAPI::Auth::Session.new( shop: "your-development-store.myshopify.com", access_token: access_token ) client = ShopifyAPI::Clients::Rest::Admin.new( session: session ) response = client.put( path: 'orders/450789469/risks/284138680', body: { "risk": { "id": 284138680, "message": "After further review, this is a legitimate order", "recommendation": "accept", "source": "External", "cause_cancel": false, "score": "0.0" } }, ) ``` ##### ```node import { DataType } from '@shopify/shopify-api'; const client = new shopify.clients.Rest({session}); const data = await client.put({ path: 'orders/450789469/risks/284138680', data: {"risk":{"id":284138680,"message":"After further review, this is a legitimate order","recommendation":"accept","source":"External","cause_cancel":false,"score":"0.0"}}, type: DataType.JSON, }); ``` #### response ```json HTTP/1.1 200 OK{"risk":{"order_id":450789469,"cause_cancel":false,"message":"After further review, this is a legitimate order","recommendation":"accept","score":"0.0","source":"External","id":284138680,"checkout_id":null,"display":true,"merchant_message":"After further review, this is a legitimate order"}} ``` *** ## delDeletes an order risk for an orderdeprecated Deletes an order risk for an order Note You cannot delete an order risk that was created by another application. ### Parameters *** api\_version string required *** order\_id string required *** risk\_id string required *** ### Examples Delete an order risk for an order del ## /admin/api/unstable/orders/450789469/risks/284138680.​json ```bash curl -X DELETE "https://your-development-store.myshopify.com/admin/api/unstable/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` {} ## Response JSON ```json HTTP/1.1 200 OK {} ``` ### examples * #### Delete an order risk for an order ##### ```curl curl -X DELETE "https://your-development-store.myshopify.com/admin/api/unstable/orders/450789469/risks/284138680.json" \ -H "X-Shopify-Access-Token: {access_token}" ``` ##### ```remix const client = new shopify.clients.Rest({session}); const data = await client.delete({ path: 'orders/450789469/risks/284138680', }); ``` ##### ```ruby session = ShopifyAPI::Auth::Session.new( shop: "your-development-store.myshopify.com", access_token: access_token ) client = ShopifyAPI::Clients::Rest::Admin.new( session: session ) response = client.delete( path: 'orders/450789469/risks/284138680', ) ``` ##### ```node const client = new shopify.clients.Rest({session}); const data = await client.delete({ path: 'orders/450789469/risks/284138680', }); ``` #### response ```json HTTP/1.1 200 OK{} ```