FROM CACHE - en_header

Implementing GDPR webhooks when my app does not use read_customers or read_orders access scopes?

Solved
Reviewerly
Tourist
6 1 0

My app is not registered to the read_customers or read_orders access scopes since there is no need. As a result, Shopify does not send requests to customers/data_request or customers/redact (2 of the mandatory GDPR webhooks). Because Shopify does not send the requests, my app has no way of responding with the 200 status code. According to Shopify docs, though, all public apps need to respond with the 200 status code.

In other words, I am confused. If my app does not use the read_customers or read_orders permissions, meaning Shopify will not send requests to my endpoints, is that fine? I have the endpoints saved in the App Setup, but they will never be used, as Shopify will not send the requests in the first place. I could be overthinking this, but I just want to make sure that since Shopify is not sending the data requests, I do not need to respond with status codes for those 2 webhooks.

On the other hand, maybe it is necessary for my app to register to read_customers and read_orders, if only to satisfy the webhooks requirement? I am scared of doing this, as Shopify advises only registering webhooks necessary for app functionality.

Would REALLY appreciate a quick reply on this. It's the only thing holding me back from submitting for review. Thanks!

Accepted Solution (1)

Accepted Solutions
mikedasilva
Shopify Staff
Shopify Staff
58 7 10

This is an accepted solution.

The idea here is that you're able to receive those webhooks and when/if you do receive any, you acknowledge that you received them with a 200 response and act accordingly.

You're right in that you will likely never get any data_request webhooks delivered since your app hasn't been granted those permission but I think it's still possible to receive the shop/redact webhook which follows the same logic - if you receive this, provide a 200 response to acknowledge that you did.

 

Does that help clear it up? 

mikedasilva | Developer @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

View solution in original post

Replies 5 (5)
mikedasilva
Shopify Staff
Shopify Staff
58 7 10

Hi,

Here is a link to the docs outlining the 3 mandatory webhooks you should be able to respond to regardless of the scopes (permissions) that your app is using. There's no need to register to read_customers and read_orders, these aren't required for these GDPR webhooks.

Cheers,

Mike

 

mikedasilva | Developer @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

Reviewerly
Tourist
6 1 0

Thanks for the reply. How am I supposed to respond to the webhooks when Shopify ONLY sends a request if the app has been granted access to customer or order data (see the screenshot below)? That's the entire problem. If I do not register the read_customers/read_orders permissions, then the endpoints I provided will never even be hit up.Screenshot.PNG

mikedasilva
Shopify Staff
Shopify Staff
58 7 10

This is an accepted solution.

The idea here is that you're able to receive those webhooks and when/if you do receive any, you acknowledge that you received them with a 200 response and act accordingly.

You're right in that you will likely never get any data_request webhooks delivered since your app hasn't been granted those permission but I think it's still possible to receive the shop/redact webhook which follows the same logic - if you receive this, provide a 200 response to acknowledge that you did.

 

Does that help clear it up? 

mikedasilva | Developer @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

Reviewerly
Tourist
6 1 0

Ok, I was beginning to think that. So basically, the requirement is that my app should be able to respond to the webhooks in the hypothetical case that a request is ever sent; in other words, all I need to do is set up the endpoints properly so that they respond with a 200 status code. Whether or not the requests are actually sent is Shopify's problem, not mine.

Could you confirm if my understanding is correct?

mikedasilva
Shopify Staff
Shopify Staff
58 7 10

That's exactly it!

Cheers

 

mikedasilva | Developer @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog