Creating gift cards without permission from customer

Technical Q&A
1

Hello!

I’m working on a Shopify app that will be publicly distributed. I have just created a customer in my Shopify admin dashboard, and I’m trying to create a Gift card for that customer through the API. I’m sending the following GraphQL request:

mutation GiftCardCreate {
    giftCardCreate(
        input: {
            initialValue: "24"
            expiresOn: "2025-10-31"
            customerId: "gid://shopify/Customer/8294029033690"
            recipientAttributes: { id: "gid://shopify/Customer/8294029033690" }
        }
    ) {
        userErrors {
            code
            field
            message
        }
    }
}

But I’m getting the following error:

 {
    "data": {
        "giftCardCreate": {
            "userErrors": [
                {
                    "code": "INVALID",
                    "field": [
                        "input",
                        "customerId"
                    ],
                    "message": "Cannot update the customer without customers permission."
                }
            ]
        }
    },
    "extensions": {
        "cost": {
            "requestedQueryCost": 10,
            "actualQueryCost": 10,
            "throttleStatus": {
                "maximumAvailable": 2000,
                "currentlyAvailable": 1990,
                "restoreRate": 100
            }
        }
    }
}

My app already have the following access scopes:
read_customers,write_customers,read_gift_cards,write_gift_cards,read_orders

I am successfully able to create gift cards when not attaching it to a specific customer.

Does anyone else know why the “Cannot update the customer without customers permission” error occurs?

2

Hi @johannett321

You are running into a security feature. The error occurs because your public app is trying to attach a gift card to a customer record it didn’t create. The Shopify API blocks this to protect customer data.

The recommended solution is to have your app create the customer first using the customerCreate mutation. Once you have the new customerId that the API returns, you can then successfully use it in your giftCardCreate mutation. Because your app “owns” the customer record, it has permission to modify it.

The alternative is to create the gift card without a customerId. This will succeed, but the card will be unassigned in Shopify, and your app will be responsible for delivering the gift card code to the correct person.

Hope this helps!

1 Like
3

Thank you for the quick reply!

My goal is to automatically issue a gift card when a customer makes their 10th purchase. If I understand correctly, since the customer record was originally created in Shopify (not by my app), I won’t be able to assign the gift card directly to that customer. In that case, I’ll need to create the gift card unassigned and handle delivery myself. Is that right?

4

There is no way to “request” permission from the customer? If not, I think the Shopify error message could be a bit better :smiley:

5

Not the same, but I’ve used this mutation via Flow and input was like this:

{
  "input": {
    "initialValue": "{{lineItemsForeachitem.variant.price}}",
    "customerId": "{{order.customer.id}}",
    "note": "Not Sure variant purchase compensation for order {{order.id}}",
    "code": "{{ lineItemsForeachitem.id | split:"/" | last}}sure"
  }
}

The card was created and delivered via e-mail to the customer referred by ID.
See here: Automatically issue digital gift card post purchase of a certain size of shoe - #3 by tim_1

Obviously, the customer was pre-existing…