All metafields and metaobjects have permissions that control who can read or write to them. > Note > Metafield and metaobject [permissions are being simplified](/changelog/simplifying-how-metafield-and-metaobject-permissions-work) in the first half of 2025. ## How it works Both metafields and metaobjects offer permissions based on their [ownership type](/docs/apps/build/custom-data/ownership) with the following defaults: - **Merchant owned**: Readable and writeable by anyone in the Shopify admin. Not available by default in storefronts or customer accounts. - **App owned**: Readable by only merchants and the owning app in the Shopify admin. Not available by default in storefronts or customer accounts. Overriding default permissions requires a definition to exist. With that, you can set permissions in the `access` input with the [`MetafieldAccessInput`](/docs/api/admin-graphql/latest/input-objects/MetafieldAccessInput) and [`MetaobjectAccessInput`](/docs/api/admin-graphql/latest/input-objects/MetaobjectAccessInput) input objects respectively. The following explains the permissions for each surface: ### Admin `admin` controls permissions for both the Shopify admin and the [GraphQL Admin API](/docs/api/admin-graphql). For app-owned metafields and metaobjects:
Permission | Description |
---|---|
MERCHANT_READ |
The metafield or metaobject will be readable by merchants through the Shopify admin. Only the owning app can read and write to it using the GraphQL Admin API. |
MERCHANT_READ_WRITE |
The metafield or metaobject will be readable and writable by merchants via the Shopify admin. Only the owning app can read and write to it via the GraphQL Admin API. |
Permission | Description |
---|---|
PUBLIC_READ_WRITE |
The metafield or metaobject will be readable and writable by merchants via the Shopify admin. All apps with the `metaobject` access scope can read and write to it via the GraphQL Admin API. |
Permission | Description |
---|---|
NONE |
The metafield or metaobject will be hidden from the Storefront API. |
PUBLIC_READ |
The metafield or metaobject will be accessible in the Storefront API by any app with the `unauthenticated_metaobjects` access scope. |
Permission | Description |
---|---|
NONE |
The metafield will be hidden from the Customer Accounts API. |
CUSTOMER_READ |
The metafield will be readable in the Customer Accounts API. |
CUSTOMER_READ_WRITE |
The metafield will be readable and writable in the Customer Accounts API. |