---
title: Access scopes for the REST Admin API
description: >-
  All apps need to request access to specific store data during the app
  authorization process. This is a list of available access scopes for the REST
  Admin API.
source_url:
  html: 'https://shopify.dev/docs/api/admin-rest/usage/access-scopes'
  md: 'https://shopify.dev/docs/api/admin-rest/usage/access-scopes.md'
---

# Access scopes for the REST Admin API

**Legacy:**

The REST Admin API is a legacy API as of October 1, 2024. All apps and integrations should be built with the [GraphQL Admin API](https://shopify.dev/docs/api/admin-graphql). For details and migration steps, visit our [migration guide](https://shopify.dev/docs/apps/build/graphql/migrate).

All apps need to request access to specific store data during the app authorization process. This guide provides a list of available access scopes for the REST Admin API.

***

## How it works

**Tip:**

For more information on how to configure your access scopes, refer to [app configuration](https://shopify.dev/docs/apps/build/cli-for-apps/app-configuration).

Authorization is the process of giving permissions to apps. Users can authorize Shopify apps to access data in a store. For example, an app might be authorized to access customer data in a store.

For the REST Admin API, an app can request authenticated access scopes. Authenticated access is intended for interacting with a store on behalf of a user. For example, creating products and managing discount codes.

Shopify has additional access scope types for working with GraphQL APIs. [Learn more](https://shopify.dev/docs/api/usage/access-scopes).

***

## Authenticated access scopes

Your app can request the following authenticated access scopes:

| Scope | Access |
| - | - |
| `read_assigned_fulfillment_orders`,`write_assigned_fulfillment_orders` | [FulfillmentOrder](https://shopify.dev/docs/api/admin-rest/latest/resources/assignedfulfillmentorder) resources assigned to a location managed by your [fulfillment service](https://shopify.dev/docs/api/admin-rest/latest/resources/fulfillmentservice) |
| `read_checkouts`,`write_checkouts` | [Checkouts](https://shopify.dev/docs/api/admin-rest/latest/resources/checkout) |
| `read_content`, | [Article](https://shopify.dev/docs/api/admin-rest/latest/resources/article), [Blog](https://shopify.dev/docs/api/admin-rest/latest/resources/blog), [Comment](https://shopify.dev/docs/api/admin-rest/latest/resources/comment), [Page](https://shopify.dev/docs/api/admin-rest/latest/resources/page), and [Redirects](https://shopify.dev/docs/api/admin-rest/latest/resources/redirect) |
| `read_customers`,`write_customers` | [Customer](https://shopify.dev/docs/api/admin-rest/latest/resources/customer) |
| `read_draft_orders`,`write_draft_orders` | [Draft Order](https://shopify.dev/docs/api/admin-rest/latest/resources/draftorder) |
| `read_fulfillments`,`write_fulfillments` | [Fulfillment Service](https://shopify.dev/docs/api/admin-rest/latest/resources/fulfillmentservice) |
| `read_gift_cards`,`write_gift_cards` | [Gift Card](https://shopify.dev/docs/api/admin-rest/latest/resources/gift-card) |
| `read_inventory`,`write_inventory` | [Inventory Level](https://shopify.dev/docs/api/admin-rest/latest/resources/inventorylevel) and [Inventory Item](https://shopify.dev/docs/api/admin-rest/latest/resources/inventoryitem) |
| `read_locations` | [Location](https://shopify.dev/docs/api/admin-rest/latest/resources/location) |
| `read_marketing_events`,`write_marketing_events` | [Marketing Event](https://shopify.dev/docs/api/admin-rest/latest/resources/marketingevent) |
| `read_merchant_managed_fulfillment_orders`,`write_merchant_managed_fulfillment_orders` | [FulfillmentOrder](https://shopify.dev/docs/api/admin-rest/latest/resources/fulfillmentorder) resources assigned to merchant-managed locations |
| `read_orders`,`write_orders` | [Abandoned checkouts](https://shopify.dev/docs/api/admin-rest/latest/resources/abandoned-checkouts), [Customer](https://shopify.dev/docs/api/admin-rest/latest/resources/customer), [Fulfillment](https://shopify.dev/docs/api/admin-rest/latest/resources/fulfillment), [Order](https://shopify.dev/docs/api/admin-rest/latest/resources/order), and [Transaction](https://shopify.dev/docs/api/admin-rest/latest/resources/transaction) resources |
| `read_price_rules`,`write_price_rules` | [Price Rules](https://shopify.dev/docs/api/admin-rest/latest/resources/pricerule) |
| `read_products`,`write_products` | [Product](https://shopify.dev/docs/api/admin-rest/latest/resources/product), [Product Variant](https://shopify.dev/docs/api/admin-rest/latest/resources/product-variant), [Product Image](https://shopify.dev/docs/api/admin-rest/latest/resources/product-image), [Collect](https://shopify.dev/docs/api/admin-rest/latest/resources/collect), [Custom Collection](https://shopify.dev/docs/api/admin-rest/latest/resources/customcollection), and [Smart Collection](https://shopify.dev/docs/api/admin-rest/latest/resources/smartcollection) |
| `read_product_listings` | [Product Listing](https://shopify.dev/docs/api/admin-rest/latest/resources/productlisting) and [Collection Listing](https://shopify.dev/docs/api/admin-rest/latest/resources/collectionlisting) |
| `read_reports`,`write_reports` | [Reports](https://shopify.dev/docs/api/admin-rest/latest/resources/report) |
| `read_resource_feedbacks`,`write_resource_feedbacks` | [ResourceFeedback](https://shopify.dev/docs/api/admin-rest/latest/resources/resourcefeedback) |
| `read_script_tags`,`write_script_tags` | [Script Tag](https://shopify.dev/docs/api/admin-rest/latest/resources/scripttag) |
| `read_shipping`,`write_shipping` | [Carrier Service](https://shopify.dev/docs/api/admin-rest/latest/resources/carrierservice), [Country](https://shopify.dev/docs/api/admin-rest/latest/resources/country), and [Province](https://shopify.dev/docs/api/admin-rest/latest/resources/province) |
| `read_shopify_payments_disputes` | Shopify Payments [Dispute](https://shopify.dev/docs/api/admin-rest/latest/resources/dispute) resource |
| `read_shopify_payments_dispute_evidences` | Shopify Payments [Dispute Evidence](https://shopify.dev/docs/api/admin-rest/latest/resources/dispute-evidence) resource |
| `read_shopify_payments_payouts` | Shopify Payments [Payouts](https://shopify.dev/docs/api/admin-rest/latest/resources/payouts), [Balance](https://shopify.dev/docs/api/admin-rest/latest/resources/balance), and [Transaction](https://shopify.dev/docs/api/admin-rest/latest/resources/transaction) resources |
| `read_themes`,`write_themes` | [Asset](https://shopify.dev/docs/api/admin-rest/latest/resources/asset) and [Theme](https://shopify.dev/docs/api/admin-rest/latest/resources/theme) |
| `read_third_party_fulfillment_orders`,`write_third_party_fulfillment_orders` | [FulfillmentOrder](https://shopify.dev/docs/api/admin-rest/latest/resources/fulfillmentorder) resources assigned to a location managed by any [fulfillment service](https://shopify.dev/docs/api/admin-rest/latest/resources/fulfillmentservice)As of API version 2024-10, fulfillment orders that are assigned to a fulfillment service can only be fulfilled by the [fulfillment service app](https://shopify.dev/docs/apps/build/orders-fulfillment/fulfillment-service-apps) that manages the location they are assigned to. |
| `read_users` | [User](https://shopify.dev/docs/api/admin-rest/latest/resources/user)shopify plus |

***

## Checking granted access scopes

You can check your app’s granted access scopes. The following is an example request:

##### REST request

```html
GET https://{store_name}.myshopify.com/admin/oauth/access_scopes.json
```

##### JSON response

```json
{
  "access_scopes": [
    {
      "handle": "read_products"
    },
    {
      "handle": "write_orders"
    },
    {
      "handle": "read_orders"
    }
  ]
}
```

***

## Limitations and considerations

* Apps should request only the minimum amount of data that's necessary for an app to function when using a Shopify API. Shopify restricts access to scopes for apps that don't require legitimate use of the associated data.
* Only [public or custom apps](https://shopify.dev/docs/apps/launch/distribution) are granted access scopes. Legacy app types, such as private or unpublished, won't be granted new access scopes.

***