GraphQL migration

samitee · ‎01-08-2025

Hello,

I have a question regarding the migration process and the new write_publications permission requirements. Based on your email, we understand that:

Apps using the REST API to read/write published_at/published_scope must transition to GraphQL and use the publishablePublish mutation.
This transition requires the write_publications permission, which must be requested via the provided form.
Permissions are backfilled every Friday after submitting the form.

If I submit the form today and permissions are granted on Friday, what happens to customers connecting to my app between today and Friday? My app does not currently require this scope when using the REST API. Will those customers experience any issues during this transition period, or will the app continue functioning as expected?

Thank you for your assistance.

Ben310 · ‎01-08-2025

Ask your question here too. Based on the chats there:

Your app will continue functioning as expected during the transition if it currently uses the REST API and doesn’t require the write_publications scope. The REST API will still honour existing scopes until the migration deadline. However, once your app starts using the GraphQL publishablePublish mutation, the write_publications scope will be required, and you must have this permission for your app to function correctly.

Requesting permissions:
- The email specifies that you must first update your app to request the write_publications scope before submitting the form. This ensures that the scope is included in the OAuth flow for new installs.
- For existing installations, Shopify will backfill the requested permissions after you submit the form. Until the permissions are backfilled, those installations won’t have access to write_publications.
- Merchants will need to review and approve the new permissions in their admin. Shopify’s process requires them to manually review permissions since these involve sensitive actions.
- Programmatic activation of permissions:
  - Shopify does not allow apps to programmatically enable permissions on behalf of merchants. Merchants must manually grant these permissions via their admin interface. Your app can guide them with instructions or provide a UI element with a link to the Shopify admin permissions page, but they must take action themselves.

Specific Scenarios:

Apps reading but not writing via REST:
- Even if your app only reads published_at or published_scope via REST, the transition to GraphQL requires requesting write_publications. This is because the publishablePublish mutation inherently requires write access to manage publications, regardless of whether your app writes to those fields.
If permissions are already granted:
- If your app already has read_publications and write_publications permissions and is using publishablePublish, there’s no further action required aside from verifying that the permissions are available for all stores where your app is installed.

View solution in original post

Ben310 · ‎01-08-2025

Ask your question here too. Based on the chats there:

Your app will continue functioning as expected during the transition if it currently uses the REST API and doesn’t require the write_publications scope. The REST API will still honour existing scopes until the migration deadline. However, once your app starts using the GraphQL publishablePublish mutation, the write_publications scope will be required, and you must have this permission for your app to function correctly.

Requesting permissions:
- The email specifies that you must first update your app to request the write_publications scope before submitting the form. This ensures that the scope is included in the OAuth flow for new installs.
- For existing installations, Shopify will backfill the requested permissions after you submit the form. Until the permissions are backfilled, those installations won’t have access to write_publications.
- Merchants will need to review and approve the new permissions in their admin. Shopify’s process requires them to manually review permissions since these involve sensitive actions.
- Programmatic activation of permissions:
  - Shopify does not allow apps to programmatically enable permissions on behalf of merchants. Merchants must manually grant these permissions via their admin interface. Your app can guide them with instructions or provide a UI element with a link to the Shopify admin permissions page, but they must take action themselves.

Specific Scenarios:

Apps reading but not writing via REST:
- Even if your app only reads published_at or published_scope via REST, the transition to GraphQL requires requesting write_publications. This is because the publishablePublish mutation inherently requires write access to manage publications, regardless of whether your app writes to those fields.
If permissions are already granted:
- If your app already has read_publications and write_publications permissions and is using publishablePublish, there’s no further action required aside from verifying that the permissions are available for all stores where your app is installed.

GraphQL migration