Update order metafields using input from customer.

4 0 1

Hello everyone,

I was wondering what would be the best way to go about updating order metafields using a form on the order page. Below I have attached a screenshot with my current setup.

Currently when you press the submit button a proxied PUT request goes to my server which will handle the request.
This issue that I'm running into is that I need the order_id (so not the number) to make a Admin API request from my server. I also need to make sure an attacker won't be able to manipulate the call to my server editing orders that aren't his.

Thanks in advance.

Order page:
Annotation 2020-06-05 154213.png

Shopify Staff
Shopify Staff
592 72 131

Hey @Skennem,

On the order status page, the order_id is available through liquid the liquid tag {{ order_id }}. You can add this tag in a script on the admin "Settings" > "Checkout" page, and it will be rendered as a string containing the order_id on the order status page.


One option to consider for security is the token available in the URL. When a customer completes a payment, they're forwarded to the "thank you" page with this URL structure: https://example.com/{{shop_id}}/checkouts/{{checkout_token}}  The checkout token found in this URL is also available in the order API response (the field is called checkout_token). You can use this token to ensure the request came from the order status page of the order you're making changes to. There may be other security considerations to keep in mind, but this is one way I can think to ensure the request belongs to the order it's meant to edit.


If you go this route, keep in mind that the URL structure noted above is only used the first time the customer visits the order status page. A different URL structure is used once this page is refreshed, or when the page is accessed through a link in the order confirmation e-mail. The structure is https://example.com/{{shop_id}}/order/{{order_token}}  The token here is also available in the order API response (in the field called token), so you'll need to check which URL the request came from and compare the correct token. 

JB | Developer Support @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Click Accept as Solution