Use access controls for metaobjects
You can control how metaobjects can be used by the Shopify admin and the storefront. This guide describes how to configure access scopes and controls on your metaobjects to limit who can read or write to your metaobjects.
How it works
Anchor link to section titled "How it works"You might want your metaobjects to be private to your app or hidden away from the user's storefront. The access input object in the metaobjectDefinitionCreate mutation enables you to specify different levels of control over these options. The following table includes all available admin and storefront access settings:
| Admin access setting | Description | Requires reserved prefix? |
|---|---|---|
| PRIVATE | Only the app that owns a metaobject of this type can read and write to it. | Yes |
| MERCHANT_READ | Apps that act on behalf of the app user (such as the admin) can read metaobjects of this type. Only the owning app can write to metaobjects of this type. |
Yes |
| MERCHANT_READ_WRITE | Both the owning app and apps that act on behalf of the appuser (such as the admin) can read or write to metaobjects of this type. No other applications can read or write metaobjects. |
Yes |
| PUBLIC_READ | All apps with the `metaobject` access scope can read metaobjects of this type. Only the owning app can write to metaobjects of this type. |
Yes |
| Storefront access setting | Description | Requires reserved prefix? |
|---|---|---|
| NONE | Metaobjects of this type aren't accessible in any Storefront API requests or Liquid. | Yes |
| PUBLIC_READ | Metaobjects of this type are accessible in the Storefront GraphQL API by any app with the `unauthenticated_metaobjects` access scope. Metaobjects of this type are also accessible in online store Liquid templates. |
No |
If you don't provide an access attribute to metaobjectDefinitionCreate, then the behavior is determined by whether you used a reserved prefix or not.
| Default for | With reserved prefix | Without reserved prefix |
|---|---|---|
| Admin | Only the app that owns a metaobject of this type can read and write to it. | All apps with the `metaobjects` access scopes can read or write to metaobjects of this type. |
| Storefront | Not available in Storefront API or Liquid | Not available in Storefront API or Liquid |
Requirements
Anchor link to section titled "Requirements"- Your app can make authenticated requests to the GraphQL Admin API.
- You're using API version 2023-01 or higher.
Define a metaobject that users can read and write within their admin
Anchor link to section titled "Define a metaobject that users can read and write within their admin"In the following example, the GraphQL Admin API's metaobjectDefinitionCreate mutation uses the MERCHANT_READ_WRITE admin access setting to enable users to read and write metaobjects of this type.
Define a private metobject visible only to your app
Anchor link to section titled "Define a private metobject visible only to your app"In this example, the metaobjectDefinitionCreate mutation uses the PRIVATE admin access setting and NONE storefront access setting to keep metaobjects of this type visible only to the app.