[ACTION REQUIRED] Apps require Shopify approval to read orders older than 60 days

Highlighted
Community Manager
Community Manager
336 17 75

Shopify is introducing an important change to our Orders API, to help preserve the trust that merchants have when using third-party apps.

As of today (June 6th, 2018), public apps will no longer be able to access a merchant’s orders older than 60 days with the current read_orders or write_orders access scopes.

Going forward, apps that require access to all of a merchant’s orders will first need to be approved by Shopify. Once Shopify approves the request, apps can begin requesting the new read_all_orders scope during OAuth.

Key changes

How to request access to read_all_orders

  1. Partners can request approval to read orders older than 60 days via the partners dashboard.

  2. Once approved by a Shopify admin, and you have been notified that your app was granted access, you must then request the new read_all_orders access scope during OAuth. Note that you must use the new read_all_orders scope in conjunction with one of read_orders or write_orders scope.

These changes to the Order API will help assure merchants that their data is safe with your app and with Shopify. By being mindful of what data apps need to access, and making sure merchants are fully aware of what scopes are being granted to their apps, we’ll build a strong and trusting app ecosystem.

To learn more about the read all orders change, check out our blog post here.

If you have any questions or concerns, don’t hesitate to reach out to read-all-orders-request@shopify.com or comment in the thread below.

 

Edit: 10:15am EDT

A large majority of pre-approved apps viewing orders older than 60 days have been migrated to have the new permission automatically. If your app is one of them you will receive an email from the Shopify Apps Team today.

Edit: 10:40am EDT

Private apps are not affected by this change and automatically will have the scope.

The majoriy of apps that were previously accessing orders older than 60 days have been grandfathered into the new permission.  You will still need to add the new scope to your OAuth flow.  There will be an email sending out shortly to your registered e-mail if your app is included in this list.  You can also check this in the App Setup section of the Partners Dashboard, you'll either see a section to request all orders access or a a status message that says "Your app can access the full order history for a store."

Edit: 1:40pm EDT

Hey All, just want to clear up some confusion as we're seeing the same question a few times.

A) Private apps

  • No action required, have been granted the ability to view orders older than 60 days by default

B) Public App that has been approved to view orders older than 60 days (grandfathered)

  • No need to request the ability to see orders older than 60 days from Shopify
  • Have to add `read_all_orders` to their OAuth request in conjunction with either `read_orders` or `write_orders` before July 9th, 2018
  • After July 9th, 2018, will not be able to see orders older than 60 days on a per shop basis unless they have been approved by the merchant with `read_all_orders`

C) Public App that has not been approved

  • Can not add `read_all_orders` to their OAuth request without prior Shopify approval
  • Can not view orders older than 60 days as of today June 6th, 2018
  • If approved now has the same requirements as B)
Developer Experience @ Shopify
0 Likes
Shopify Partner
396 0 43

How will this prevent Apps from storing their own databases of orders if trust is a key feature in this change?

What would be better is ask the merchant if they want to grant it or not rather than making us go the “big brother” route.

Also well done in keeping us in the loop to make changes or get approved.

"Good design is good business"
1 Like
Shopify Partner
11 0 6

Ryan,

This change breaks my app without any notice.  I will be reaching out to your email as well but a breaking change like this deserves at least a few weeks notice.  Otherwise, how are we expected to make this a smooth transition for Shopify merchants?

Could you undo this change and give some notice? 

Thanks,

Tom

⭐️ Flair product badges https://apps.shopify.com/flair ⭐️ Best Sellers - https://apps.shopify.com/best-sellers
1 Like
Community Manager
Community Manager
336 17 75

What would be better is ask the merchant if they want to grant it or not rather than making us go the “big brother” route.

This is what the requirement to re OAuth with the new permission is; asking the merchant if they want to grant the app the ability to see older orders.

Developer Experience @ Shopify
0 Likes
New Member
1 0 1

This breaks our apps without notice (as Tom points out). How come you couldn't give us at least enough notice to submit our requests for the data? I just filled out the request and it states it could take 7 days to process.

 

thanks

Justin

1 Like
Shopify Partner
2 0 1

Hey Ryan,

 

If we have existing authed stores with read_orders scope and have the read_all_orders scope approved on our App do we have to get existing stores to re-authenticate their store with our app to get > 60 day access?

 

Cheers,


Martin

1 Like

For anyone else freaking out about this, and wondering how to check/request access for the full order history, it seems you can do it in your Partner Dashboard by doing the following:

1. Go to Apps
2. Click on your app name
3. Click on "App setup" in the top menu
4. Look for the new "Orders" section (see screenshot)

On my apps, I can see they came pre-approved to access the full order history. However, I'm still unsure if I need to add the new scope to my apps, but will do it just in case!?

Regards,
Bjorn

Bjorn Forsberg | FORSBERG+two | Award-winning Shopify Apps since 2011
1 Like
Community Manager
Community Manager
336 17 75

This change breaks my app without any notice.  I will be reaching out to your email as well but a breaking change like this deserves at least a few weeks notice.  Otherwise, how are we expected to make this a smooth transition for Shopify merchants?

Could you undo this change and give some notice? 

This breaks our apps without notice (as Tom points out). How come you couldn't give us at least enough notice to submit our requests for the data? I just filled out the request and it states it could take 7 days to process.

The change was made without notice warning to prevent bad actors from pre-emptively saving all orders from every shop they are installed on.  That being said a large majority of pre-approved apps viewing orders older than 60 days have been migrated to have the new permission automatically. If your app is one of them you will receive an email from the Shopify Apps Team today.

How will this prevent Apps from storing their own databases of orders if trust is a key feature in this change?

It doesn't.  It is up to each app developer to set their own standards of data privacy.

Developer Experience @ Shopify
2 Likes
Shopify Expert
3991 13 316

Wow. Nice one. Dropping the bomb on us I see. All for the well-being of clients. So I ask for permission. I get it. Now I need all my clients to approve the App again. Supposing they all do that without question, exactly nothing has been accomplished here. Except we get emergency drop everything work. 

Assuming we ignore Shopify directive Crazy999, hashtag #makingthingsupaswegoalongwithnonotice:

 

WHAT HAPPENS TO APPS THAT TRY AND GO BACK 61 or more days. Does Shopify feed us a 422 or something thus breaking our Apps and killing our chances of keeping happy clients?

 

PS I love how this is labelled under ECOMMERCE UNIVERSITY instead of a forum labelled LateBreakingNoNonsenseNewsAboutMakeWorkForDevelopers posts. Like it is shrouded in the deeper mysteries of learning and discovering great things instead of SNAFU morsels.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
3 Likes
Community Manager
Community Manager
336 17 75

If we have existing authed stores with read_orders scope and have the read_all_orders scope approved on our App do we have to get existing stores to re-authenticate their store with our app to get > 60 day access?

Yes, you will have to re-OAuth, this is the merchant agreeing to allow your app access to orders > 60 days.

On my apps, I can see they came pre-approved to access the full order history. However, I'm still unsure if I need to add the new scope to my apps, but will do it just in case!?

You will still need to add the new scope to your apps OAuth flow.

Developer Experience @ Shopify
1 Like