Can a Customer Update App with New Permissions?

Shopify Apps

Topic summary

Main issue: After adding new app permissions (scopes), how can merchants re-approve without uninstalling/reinstalling?

Key points:

  • Uninstall/reinstall is not needed. Shopify’s app flow supports reauthorization on scope changes.
  • Implementation: compare the app’s currently requested scopes to the previously saved scopes; if they differ, redirect the merchant to the OAuth consent page to re-approve. Upon approval, save the new scopes in the database.
  • Charges remain intact; the existing app charge stays associated with the install during reauthorization.

Definitions:

  • Scopes: the set of permissions an app requests from a store.
  • OAuth consent page: the authorization screen where a merchant grants app permissions.

Configuration/Docs:

  • For apps using the Shopify App framework, enable behavior to authenticate on scope change or implement the scope comparison and redirect logic yourself.
  • A GitHub documentation link on “Handling Access Scope Changes” was provided for guidance.

Outcome/Status:

  • Original concern addressed with a clear path: trigger OAuth reauthorization on scope changes.
  • Follow-up query about where to find the setting was answered with the documentation link. The discussion appears resolved.
Summarized with AI on January 31. AI used: gpt-5.
2

Strange. This is 100% built-in to the Shopify App. You notice in the configuration the “authenticate on scope change” setting and set that to true. When an App install is approved, the scopes are saved along with the access token. So when you change App scopes, a little routine compares the provided App scopes with the ones you previously saved. If they differ and it means the merchant needs to re-approve the scope changes, the App just redirects to that page asking the merchant if they approve. If they do, the new scopes get saved in the DB, and you’re golden. There is NO WAY you want the merchant uninstall and re-install.

This has been in the code for about a year now or more. I am not sure when it was actually added but the Github repo clearly shows this change. Just follow that recipe if you rolled your own App.