Conversations about creating, managing, and using metafields to store and retrieve custom data for apps and themes.
Hello,
Is it safe to store sensitive information in product metafields?
I don't mean any personal or financial customer information, but only information that can be accessed by those who purchased the product.
The information I want to store in the metafields isn't free and should be safe (download links, paid tutorials, etc.).
Thanks,
Enrique
Solved! Go to the solution
This is an accepted solution.
Metafield resources were almost always subject to hacking because originally they had zero security. Anyone with a decent scoped API key could read, write metafield resources for almost anything. Can you say problematic wild west. Some App developers went overboard and made everything a metafield, while others tried to be careful and only store valuable info there. So along came twits that would accidentally erase metafields not of their creating, ruining merchant lives!!
So Shopify got wise in a way, and now when you create a metafield, and it is scoped to your APP, other Apps cannot monkey with your metafield resource. That being said, reading a key:value pair is a Liquid thing, so sloppy Liquid could expose metafield data in order emails, etc. So the answer to your question is subtle.
Yes you can store important info in them. It is probably not wise to store customer-centric info in a product metafield though. You more likely want to save that in the customer record itself. Or even the customer order. So if a customer purchases a product, that belongs to the customer's order. Pollute the order with the product specific info. Then expose it ONLY in the customer account Liquid, where they can scan their orders, and see their products.
Just saying... if you sell 10000 people a product, you probably do not want 10000 metafield resources attached to that product. Would be kinda gnarly...
This is an accepted solution.
Metafield resources were almost always subject to hacking because originally they had zero security. Anyone with a decent scoped API key could read, write metafield resources for almost anything. Can you say problematic wild west. Some App developers went overboard and made everything a metafield, while others tried to be careful and only store valuable info there. So along came twits that would accidentally erase metafields not of their creating, ruining merchant lives!!
So Shopify got wise in a way, and now when you create a metafield, and it is scoped to your APP, other Apps cannot monkey with your metafield resource. That being said, reading a key:value pair is a Liquid thing, so sloppy Liquid could expose metafield data in order emails, etc. So the answer to your question is subtle.
Yes you can store important info in them. It is probably not wise to store customer-centric info in a product metafield though. You more likely want to save that in the customer record itself. Or even the customer order. So if a customer purchases a product, that belongs to the customer's order. Pollute the order with the product specific info. Then expose it ONLY in the customer account Liquid, where they can scan their orders, and see their products.
Just saying... if you sell 10000 people a product, you probably do not want 10000 metafield resources attached to that product. Would be kinda gnarly...
Thanks HunkyBill for your descriptive reply, very much appreciated.
Hello Sir, I have created 2 metafields using rest api using App #1.
But when I GET request from App #2 it shows the fields created by App #1.
Can you please tell me how to create metafields that can be read,update,delete by the APP only that created them.
Look into private Metafields. I think that is what you might be interested in. They are only available to the App that created them.
Sir is there any documentation of private metafields ? please share the link and how to create them using Rest API ?
currently I am using this code to create metafields
$metafield = array (
"metafield" => array (
"namespace" => "hxs_lcs",
"key" => "hxs_lcs_api",
"value" => "LeopardsApiKey",
"value_type" => "string",
"description" => "this is hxs_lcs_api"
)
);
$url = "https://xxxxx:xxxxx@xxxxx.myshopify.com/admin/api/2021-01/metafields.json";
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_VERBOSE, 0);
curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode($metafield));
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($curl);
curl_close($curl);
but when i checked it can be access by other Apps.
Need help please
Regards
You probably need to use the GraphQL API.
https://shopify.dev/docs/admin-api/graphql/reference/metafields/privatemetafield
Shopify is moving away from the RestAPI anyway, so this is a good time for you to get into the GraphQL version which is for the most part, very nice to use.