增加商家信任:引入更新the Shopify Order API

shopify order api

When merchants have large sales volumes, they also have large volumes of data on all their customers who have made orders.

So when merchants add new apps to their stores, it’s important for them to know that this data is protected and not being accessed unnecessarily.

To help increase merchant trust in apps, we’re introducing updates to the scopes within the Order API.

You might also like:Platform Updates That Will Help you Extend Your Offering and Build Faster.

Added protections for order data

One area we pay special attention to is data surrounding a merchant’s orders. There are many apps that require access to orders, but when a merchant installs one of these apps, they are implicitly giving out the entireorder historyof their shop. In some cases, this could be upwards of ten years of customer activity.

For certain apps, such as those that build year-over-year earnings reports, this level of access is necessary. However, for many of the apps that work with orders, access to this much data may be unnecessary. With GDPR now in effect, it’s especially important to avoid accessing data that your app doesn’t have a real need for.

To help you access only what you need—and for merchants to feel more secure about how apps access their data—we’re introducing a new access scope calledread_all_orders.

Update: Learn how the release oforder editingimpacts app developers.

Requesting the scope to read all order data

Going forward,apps that require access to all of a merchant’s orders will first need to be approved by Shopify. Once we approve the request, theread_all_ordersscope can be added to an app, just like theread_ordersscope. Both scopes must be used together to access all orders (read_all_ordersplus one ofread_ordersorwrite_orders).

Because we don’t want to interfere with apps that don’t require all of a shop’s orders, any apps that have the standardread_ordersorwrite_ordersscope will have access to the last 60 days of a shop’s orders, and do not require any associated approval from Shopify—simply from the merchant during the standard app installation flow. These apps will have no issue using the Order API or webhooks—they will simply have a window of 60 days worth of orders.

Apps that require the escalated access to all orders can request Shopify’s approval through theShopify Partners Dashboard.

shopify order api: all orders
Requesting access to all orders in the Shopify Partners Dashboard.

You will be prompted to explain the reason why your app needs this scope, as we would like to prevent apps from accessing data unnecessarily.

You might also like:How to Generate a Shopify Access Token.

Informing merchants of the data your app is requesting

Over the years, we’ve added more fine-grained control to allow apps to request access to different resources on a merchant’s shop. The current app installation page summarizes these access scopes in a readable way for merchants.

shopify order api: merchant experience
Merchant experience in the admin when you’re about to install an app.

A merchant is presented this screen each time an app is being installed, but they may not be crystal clear on which scopes are being granted.

To solve this problem, we’ve modified the app installation page to highlight any sensitive scopes being requested by the app. Merchants will now see a yellow notification when installing an app that has access to all orders.

shopify order api: banner
App install pages, with banner flagging that the app will need access to all orders.

When merchants trust apps, our app ecosystem thrives

These changes to the Order API will help assure merchants that their data is safe with your app and with Shopify. By being mindful of what data apps need to access, and making sure merchants are fully aware of what scopes are being granted to their apps, we’ll build a strong and trusting app ecosystem.

Questions about changes to the Order API?Ask them in the comments below!

Topics:

Grow your business with the Shopify Partner Program

Learn more