My Embedded App asks for the following permissions:
However, when I try to make an REST Api request to the FulfillmentEvent API. I get an HTML response with what looks like an authorization request for the Shop owner.
Looking at the response, it seems it's asking for an "email" permissions. The Link URL contains a "scope=email":
I don't see "email" as a valid scope in the documentation, is it safe to include "email" in my original/first-time install & authorization handshake?