---
title: Enable extension capabilities for customer accounts
description: >-
  Learn how to configure Storefront API access, network access, and buyer
  consent collection for customer account UI extensions.
source_url:
  html: 'https://shopify.dev/docs/apps/build/customer-accounts/capabilities'
  md: 'https://shopify.dev/docs/apps/build/customer-accounts/capabilities.md'
---

# Enable extension capabilities for customer accounts

Capabilities are permissions you declare in your extension's `shopify.extension.toml` file. They control what your extension is allowed to do at a platform level, such as querying the Storefront API, making external network calls, or collecting buyer consent.

### Available capabilities

| Property | Description |
| - | - |
| [`api_access`](#storefront-api-access) | Allows your extension to query the [Storefront API](https://shopify.dev/docs/api/storefront). |
| [`network_access`](#network-access) | Allows your extension to make external network calls. |
| [`collect_buyer_consent`](#collect-buyer-consent) | Allows your extension to collect buyer consent for specific policies. |

The following example shows a complete `shopify.extension.toml` file with all three capabilities enabled:

## shopify.extension.toml

```toml
api_version = "2026-04"


[[extensions]]
type = "ui_extension"
name = "My customer account extension"
handle = "customer-account-ui"
uid = "your-extension-uid"


[[extensions.targeting]]
target = "customer-account.order-status.block.render"
module = "./src/OrderStatusBlock.jsx"


[extensions.capabilities]
api_access = true
network_access = true


[extensions.capabilities.collect_buyer_consent]
customer_privacy = true
```

***

## Storefront API access

Use the `api_access` capability when your extension needs to retrieve data from the [Storefront API](https://shopify.dev/docs/api/storefront). For example, you might need to fetch product data, check product tags on an item in the order summary, or look up selling plans.

Shopify handles the authentication for all API calls from an extension.

### Enable Storefront API access

## shopify.extension.toml

```toml
[extensions.capabilities]
api_access = true
```

### Methods for accessing the Storefront API

Enabling `api_access` allows you to retrieve data from the [Storefront API](https://shopify.dev/docs/api/storefront) without manually managing token acquisition and refresh.

Use the [`query`](https://shopify.dev/docs/api/customer-account-ui-extensions/latest/target-apis/platform-apis/storefront-api) method to request a single GraphQL response from the Storefront API. This is the recommended approach for most use cases and is available on all customer account extension targets.

If you prefer to construct GraphQL requests yourself or use a full-featured GraphQL client such as Apollo or urql, you can use the global `fetch` instead. The custom `fetch` global automatically appends the required access tokens. The GraphQL client of your choice shouldn't use any DOM APIs, because they aren't available in a customer account UI extension's [Web Worker](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API).

**Note:**

If you're using `fetch` to get data external to Shopify, then you need the [`network_access`](#network-access) capability instead of `api_access`.

### Storefront API access scopes

Your extension automatically receives unauthenticated read access to products, collections, product tags, selling plans, and metaobjects through the Storefront API. For the full list of access scopes, refer to the [Storefront API documentation](https://shopify.dev/docs/api/storefront).

[Reference - Storefront API](https://shopify.dev/docs/api/customer-account-ui-extensions/latest/target-apis/platform-apis/storefront-api)

***

## Network access

Use the `network_access` capability when you need data that isn't available through Shopify's APIs. For example, you might need to fetch loyalty points from your rewards platform, pull inventory status from a warehouse management system, or send analytics events to a third-party service.

**Caution:**

If your extension specifies the `network_access` capability, then you must [request access](#request-network-access) to publish your extension.

### Alternatives to network access

Before requesting network access, consider retrieving data from a [metafield](https://shopify.dev/docs/apps/build/metafields) instead. This avoids external network calls and relies on Shopify for uptime, scaling, and durability. Depending on where your data lives and when you need it, you can use one of these approaches:

* **Read and write customer, order, company, or company location data**: Use the [Customer Account API](https://shopify.dev/docs/api/customer) to access [metafields](https://shopify.dev/docs/api/customer/latest/objects/Metafield) directly from your extension.
* **Read shop or product data written ahead of time**: Use the [GraphQL Admin API](https://shopify.dev/docs/api/admin-graphql) to write [metafields](https://shopify.dev/docs/api/admin-graphql/latest/objects/metafield) before the customer visits the page, then read them from your extension.
* **Read metafields on order status targets without a network call**: Use [`appMetafields`](https://shopify.dev/docs/api/customer-account-ui-extensions/latest/target-apis/order-apis/metafields-api) to retrieve metafields that are already available through Shopify. This is faster because there's no external request.

### Request network access

1. Go to your [Partner Dashboard](https://partners.shopify.com/current/apps).

2. Click the name of the app that you want to change.

3. Click **API access**.

4. Under **Allow network access in checkout and account UI extensions**, click **Allow network access**.

   Your request is automatically approved and your app is immediately granted the approval scope that's required for your customer account UI extension to make external network calls.

5. Add `network_access = true` to the `[extensions.capabilities]` section of your extension's configuration file:

   ## shopify.extension.toml

   ```toml
   [extensions.capabilities]
   network_access = true
   ```

### Required CORS headers

Customer account UI extensions run in a sandboxed [Web Worker](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API), not in the browser page itself. This means network requests from your extension don't carry a recognizable origin. For your server to accept these requests, it must include the following [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) response header:

Access-Control-Allow-Origin: \*

### App Proxy

[App Proxy](https://shopify.dev/docs/apps/build/online-store/app-proxies) lets you route requests through Shopify to your app's backend. UI extensions can make fetch requests to App Proxy URLs, but there are some differences and limitations because extensions run in a Web Worker:

* Requests execute as CORS requests. See [Required CORS headers](#required-cors-headers) for details.
* The `logged_in_customer_id` query parameter isn't assigned. Use a [session token](https://shopify.dev/docs/api/customer-account-ui-extensions/latest/target-apis/platform-apis/session-token-api) instead, which provides the `sub` claim for the logged-in customer.
* Requests to password-protected shops aren't supported. Extension requests come from a Web Worker which doesn't share the same session as the parent window.
* Not all [HTTP request methods](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) are supported. Specifically, `CONNECT` and `TRACE` are unsupported.

### Security considerations

When processing HTTP requests on your API server, you can't guarantee that your own extension made every request. When responding with sensitive data, keep in mind that requests could originate from anywhere on the internet.

Your extension can pass a [session token](https://shopify.dev/docs/api/customer-account-ui-extensions/latest/target-apis/platform-apis/session-token-api) to your API server, but this only guarantees the integrity of its claims. It doesn't guarantee the request itself originated from Shopify. For example, your API server could trust the session token's `sub` claim (the customer ID) but it couldn't trust a `?customer_id=` query parameter.

***

## Collect buyer consent

Use the `collect_buyer_consent` capability when your extension presents consent controls for customer privacy policies, such as data collection preferences or marketing opt-ins. This capability is required before your extension can use the [Customer Privacy API](https://shopify.dev/docs/api/customer-account-ui-extensions/latest/target-apis/account-apis/customer-privacy-api).

To enable customer privacy consent collection, add `customer_privacy = true` to your TOML configuration:

## shopify.extension.toml

```toml
[extensions.capabilities.collect_buyer_consent]
customer_privacy = true
```

[Reference - Customer Privacy API](https://shopify.dev/docs/api/customer-account-ui-extensions/latest/target-apis/account-apis/customer-privacy-api)

***