Is it safe to store sensitive information in product metafields?
I don't mean any personal or financial customer information, but only information that can be accessed by those who purchased the product.
The information I want to store in the metafields isn't free and should be safe (download links, paid tutorials, etc.).
Solved! Go to the solution
This is an accepted solution.
Metafield resources were almost always subject to hacking because originally they had zero security. Anyone with a decent scoped API key could read, write metafield resources for almost anything. Can you say problematic wild west. Some App developers went overboard and made everything a metafield, while others tried to be careful and only store valuable info there. So along came twits that would accidentally erase metafields not of their creating, ruining merchant lives!!
So Shopify got wise in a way, and now when you create a metafield, and it is scoped to your APP, other Apps cannot monkey with your metafield resource. That being said, reading a key:value pair is a Liquid thing, so sloppy Liquid could expose metafield data in order emails, etc. So the answer to your question is subtle.
Yes you can store important info in them. It is probably not wise to store customer-centric info in a product metafield though. You more likely want to save that in the customer record itself. Or even the customer order. So if a customer purchases a product, that belongs to the customer's order. Pollute the order with the product specific info. Then expose it ONLY in the customer account Liquid, where they can scan their orders, and see their products.
Just saying... if you sell 10000 people a product, you probably do not want 10000 metafield resources attached to that product. Would be kinda gnarly...
Look into private Metafields. I think that is what you might be interested in. They are only available to the App that created them.
Sir is there any documentation of private metafields ? please share the link and how to create them using Rest API ?
currently I am using this code to create metafields
$metafield = array ( "metafield" => array ( "namespace" => "hxs_lcs", "key" => "hxs_lcs_api", "value" => "LeopardsApiKey", "value_type" => "string", "description" => "this is hxs_lcs_api" ) ); $url = "https://xxxxx:firstname.lastname@example.org/admin/api/2021-01/metafields.json"; $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json')); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl, CURLOPT_VERBOSE, 0); curl_setopt($curl, CURLOPT_HEADER, 1); curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "POST"); curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode($metafield)); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); $response = curl_exec($curl); curl_close($curl);
but when i checked it can be access by other Apps.
Need help please
You probably need to use the GraphQL API.
Shopify is moving away from the RestAPI anyway, so this is a good time for you to get into the GraphQL version which is for the most part, very nice to use.