Access Controls
Controlling Admin and Storefront API access
Anchor link to section titled "Controlling Admin and Storefront API access"Metaobjects provide you with detailed control over how your metaobjects can be used by Shopify's admin and storefront. In some scenarios, you might want your metaobjects to be private to your app or hidden away from merchant's storefronts. The access input object in the metaobjectDefinitionCreate mutation enables you to specify different levels of control over these options. The following includes all available admin and storefront access settings:
| Admin access setting | Description | Requires reserved prefix? |
|---|---|---|
| PRIVATE | Only the app that owns a metaobject of this type can read and write to it. | Yes |
| MERCHANT_READ | Apps that act on behalf of merchants (such as the admin) can read metaobjects of this type. Only the owning app can write to metaobjects of this type. |
Yes |
| MERCHANT_READ_WRITE | Both the owning app and apps that act on behalf of merchants (such as the admin) can read or write to metaobjects of this type. No other applications can read or write metaobjects. |
Yes |
| PUBLIC_READ | All apps with the `metaobject` access scope can read metaobjects of this type. Only the owning app can write to metaobjects of this type. |
Yes |
| PUBLIC_READ_WRITE | All apps with the `metaobjects` access scopes can read or write to metaobjects of this type. | No |
| Storefront access setting | Description | Requires reserved prefix? |
|---|---|---|
| NONE | Metaobjects of this type aren't accessible in any Storefront API requests. | Yes |
| PUBLIC_READ | Metaobjects of this type are accessible in the Storefront GraphQL API by any app with the `unauthenticated_metaobjects` access scope. Metaobjects of this type are also accessible in online store Liquid templates. |
No |
If you don't provide an access attribute to metaobjectDefinitionCreate, then the default scope is determined on whether you used a reserved prefix or not.
| Default for | With reserved prefix | Without reserved prefix |
|---|---|---|
| Admin access setting | PRIVATE | PUBLIC_READ_WRITE |
| Storefront access setting | NONE | NONE |
Requirements
Anchor link to section titled "Requirements"- Your app can make authenticated requests to the GraphQL Admin API.
Defining a metaobject that merchants can read and write within their admin
Anchor link to section titled "Defining a metaobject that merchants can read and write within their admin"In this example, the metaobjectDefinitionCreate mutation uses the MERCHANT_READ_WRITE admin access setting to allow merchants to read and write metaobjects of this type.
Defining a private metobject visible only to your app
Anchor link to section titled "Defining a private metobject visible only to your app"In this example, the metaobjectDefinitionCreate mutation uses the PRIVATE admin access setting and NONE storefront access setting to keep metaobjects of this type visible only to the app.