A staff store recently installed our app and after a few days the REST api is returning an error "API Access has been disabled".
Given it's a staff account, I'm not too concerned, but I'm still curious what this means?
How does it get into that state and can it happen to a real store?
I can see the case you're talking about. Your API permission will have gotten into this state as a result of the staff member disabling it themselves on their shop with our internal tooling. I can't speak for what they're up to personally but you should have nothing to worry about.
To add more detail: it’s actially a state the api permission is in, rather than it being revoked. Regaining access through that permission on our end is a matter of flipping a value from false to true on that object, so it doesn’t fully align with app/uninstalled.
I see what you’re getting at with the feedback though and a way to know when this happens regardless makes sense, so noted!
I don't think it'd make too much sense to clean up resources created by your app if that's what you mean, since I assume you'd still want them to be there when the api access is reinstated. It does make sense however to perhaps not bother you with webhooks if your access is currently disabled.
At any rate doing this is usually meant to be on a pretty temporary basis and saw no reason not to switch it back on for you, so you should have access again.
For some reason I didn't receive an email for your previous message and I had missed it when I last posted.
I was under the impression this was effetively the same as an uninstall, so I had mark this store as uninstalled in our app.
Regarding webhoooks. When our app receives a webhook, sometimes we call back into the REST api to load additional details. But in this instance, even though we are receiving webhooks, we cannot call back into the REST api because the access token is "disabled".
So these webhook requests are basically stuck in our queue and we must manually clear them.
I hope this clarifies why this is painful. I'd much rather not receive any webhooks if I cannot process them succesfully.
Sorry, I could have been clearer. Or maybe I misunderstood. Do you presently still not have the ability to remove the webhooks on the staff shop in question since I switched API access back on, or do you mean in general during these situations?
If the latter, you wouldn't really be able to until access was re-enabled by someone over here. With that being said, it isn't exactly proper form to leave access disabled for any app without a disclosed reason.