Have your say in Community Polls: What was/is your greatest motivation to start your own business?
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Re: Implementing GDPR webhooks when my app does not use read_customers or read_orders access scopes?

Solved

Implementing GDPR webhooks when my app does not use read_customers or read_orders access scopes?

Reviewerly
Tourist
6 1 0

My app is not registered to the read_customers or read_orders access scopes since there is no need. As a result, Shopify does not send requests to customers/data_request or customers/redact (2 of the mandatory GDPR webhooks). Because Shopify does not send the requests, my app has no way of responding with the 200 status code. According to Shopify docs, though, all public apps need to respond with the 200 status code.

In other words, I am confused. If my app does not use the read_customers or read_orders permissions, meaning Shopify will not send requests to my endpoints, is that fine? I have the endpoints saved in the App Setup, but they will never be used, as Shopify will not send the requests in the first place. I could be overthinking this, but I just want to make sure that since Shopify is not sending the data requests, I do not need to respond with status codes for those 2 webhooks.

On the other hand, maybe it is necessary for my app to register to read_customers and read_orders, if only to satisfy the webhooks requirement? I am scared of doing this, as Shopify advises only registering webhooks necessary for app functionality.

Would REALLY appreciate a quick reply on this. It's the only thing holding me back from submitting for review. Thanks!

Accepted Solution (1)
mikedasilva
Shopify Staff (Retired)
61 7 13

This is an accepted solution.

The idea here is that you're able to receive those webhooks and when/if you do receive any, you acknowledge that you received them with a 200 response and act accordingly.

You're right in that you will likely never get any data_request webhooks delivered since your app hasn't been granted those permission but I think it's still possible to receive the shop/redact webhook which follows the same logic - if you receive this, provide a 200 response to acknowledge that you did.

 

Does that help clear it up? 

To learn more visit the Shopify Help Center or the Community Blog.

View solution in original post

Replies 5 (5)

mikedasilva
Shopify Staff (Retired)
61 7 13

Hi,

Here is a link to the docs outlining the 3 mandatory webhooks you should be able to respond to regardless of the scopes (permissions) that your app is using. There's no need to register to read_customers and read_orders, these aren't required for these GDPR webhooks.

Cheers,

Mike

 

To learn more visit the Shopify Help Center or the Community Blog.

Reviewerly
Tourist
6 1 0

Thanks for the reply. How am I supposed to respond to the webhooks when Shopify ONLY sends a request if the app has been granted access to customer or order data (see the screenshot below)? That's the entire problem. If I do not register the read_customers/read_orders permissions, then the endpoints I provided will never even be hit up.Screenshot.PNG

mikedasilva
Shopify Staff (Retired)
61 7 13

This is an accepted solution.

The idea here is that you're able to receive those webhooks and when/if you do receive any, you acknowledge that you received them with a 200 response and act accordingly.

You're right in that you will likely never get any data_request webhooks delivered since your app hasn't been granted those permission but I think it's still possible to receive the shop/redact webhook which follows the same logic - if you receive this, provide a 200 response to acknowledge that you did.

 

Does that help clear it up? 

To learn more visit the Shopify Help Center or the Community Blog.

Reviewerly
Tourist
6 1 0

Ok, I was beginning to think that. So basically, the requirement is that my app should be able to respond to the webhooks in the hypothetical case that a request is ever sent; in other words, all I need to do is set up the endpoints properly so that they respond with a 200 status code. Whether or not the requests are actually sent is Shopify's problem, not mine.

Could you confirm if my understanding is correct?

mikedasilva
Shopify Staff (Retired)
61 7 13

That's exactly it!

Cheers

 

To learn more visit the Shopify Help Center or the Community Blog.