FROM CACHE - en_header

Implementing GDPR webhooks when my app does not use read_customers or read_orders access scopes?

Solved
Reviewerly
Tourist
6 1 0
‎08-24-2021 04:16 PM

My app is not registered to the read_customers or read_orders access scopes since there is no need. As a result, Shopify does not send requests to customers/data_request or customers/redact (2 of the mandatory GDPR webhooks). Because Shopify does not send the requests, my app has no way of responding with the 200 status code. According to Shopify docs, though, all public apps need to respond with the 200 status code.

In other words, I am confused. If my app does not use the read_customers or read_orders permissions, meaning Shopify will not send requests to my endpoints, is that fine? I have the endpoints saved in the App Setup, but they will never be used, as Shopify will not send the requests in the first place. I could be overthinking this, but I just want to make sure that since Shopify is not sending the data requests, I do not need to respond with status codes for those 2 webhooks.

On the other hand, maybe it is necessary for my app to register to read_customers and read_orders, if only to satisfy the webhooks requirement? I am scared of doing this, as Shopify advises only registering webhooks necessary for app functionality.

Would REALLY appreciate a quick reply on this. It's the only thing holding me back from submitting for review. Thanks!

1,078 Views
0 Likes
Report
Accepted Solution (1)
In response to Reviewerly
mikedasilva
Shopify Staff (Retired)
Shopify Staff (Retired)
61 7 13
‎08-25-2021 10:57 AM

This is an accepted solution.

The idea here is that you're able to receive those webhooks and when/if you do receive any, you acknowledge that you received them with a 200 response and act accordingly.

You're right in that you will likely never get any data_request webhooks delivered since your app hasn't been granted those permission but I think it's still possible to receive the shop/redact webhook which follows the same logic - if you receive this, provide a 200 response to acknowledge that you did.

 

Does that help clear it up? 

mikedasilva | Developer @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

View solution in original post

825 Views
Report
Replies 5 (5)
mikedasilva
Shopify Staff (Retired)
Shopify Staff (Retired)
61 7 13
‎08-24-2021 05:28 PM

Hi,

Here is a link to the docs outlining the 3 mandatory webhooks you should be able to respond to regardless of the scopes (permissions) that your app is using. There's no need to register to read_customers and read_orders, these aren't required for these GDPR webhooks.

Cheers,

Mike

 

mikedasilva | Developer @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

986 Views
0 Likes
Report
In response to mikedasilva
Reviewerly
Tourist
6 1 0
‎08-24-2021 06:29 PM

Thanks for the reply. How am I supposed to respond to the webhooks when Shopify ONLY sends a request if the app has been granted access to customer or order data (see the screenshot below)? That's the entire problem. If I do not register the read_customers/read_orders permissions, then the endpoints I provided will never even be hit up.Screenshot.PNG

975 Views
0 Likes
Report
In response to Reviewerly
mikedasilva
Shopify Staff (Retired)
Shopify Staff (Retired)
61 7 13
‎08-25-2021 10:57 AM

This is an accepted solution.

The idea here is that you're able to receive those webhooks and when/if you do receive any, you acknowledge that you received them with a 200 response and act accordingly.

You're right in that you will likely never get any data_request webhooks delivered since your app hasn't been granted those permission but I think it's still possible to receive the shop/redact webhook which follows the same logic - if you receive this, provide a 200 response to acknowledge that you did.

 

Does that help clear it up? 

mikedasilva | Developer @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

826 Views
Report
In response to mikedasilva
Reviewerly
Tourist
6 1 0
‎08-25-2021 11:15 AM

Ok, I was beginning to think that. So basically, the requirement is that my app should be able to respond to the webhooks in the hypothetical case that a request is ever sent; in other words, all I need to do is set up the endpoints properly so that they respond with a 200 status code. Whether or not the requests are actually sent is Shopify's problem, not mine.

Could you confirm if my understanding is correct?

822 Views
0 Likes
Report
In response to Reviewerly
mikedasilva
Shopify Staff (Retired)
Shopify Staff (Retired)
61 7 13
‎08-25-2021 11:41 AM

That's exactly it!

Cheers

 

mikedasilva | Developer @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

816 Views
Report

Community Blog Articles

Skye_0-1685651890195.png
Creating a Shopify Store: The Importance Of Choosing The Right Theme

As a business owner, have you ever wondered when your customer's first impression of yo...

By Skye Jun 6, 2023
31-54-5hg9c-2x272
Community Update! Threading Improvements

We're excited to announce improvements to the threaded messaging experience in our communi...

By TyW May 31, 2023
crowd-participating-at-event.jpg
We Answered Your Questions to Help You Get the Most Out of Your Shopify <> ...

Thank you to everyone who participated in our AMA with Klaviyo. It was great to see so man...

By Jacqui May 30, 2023
Terms of Service Privacy Policy