Quick question about whether it is safe to have an iOS app that will be released to public to have the Admin API key with it?
Ofcourse, it won't be kept in plain text but just want to check?
From what I can see the Storefront Mobile Buy SDK doesn't allow for a refund to be set up by the user, but creating a refunds / returns looks possible by using the shopify admin API (which by the way, is not as nicely documented haha).
To try and narrow down my question to avoid ambiguity:
Do I pose any risk if I enable read_orders & write_orders permission on the Admin API and access the order from there via my iOS application that will be made public?