Shopify is requiring apps to migrate from REST API to GraphQL for managing publication data, specifically using the publishablePublish mutation. This change mandates the write_publications permission, which must be requested through a form submission, with permissions backfilled every Friday.
Key transition details:
Apps currently using REST API will continue functioning normally until the migration deadline
Developers must update their app to request write_publications scope before submitting the permission form
For existing installations, permissions are backfilled after form submission, but merchants must manually review and approve new permissions through Shopify admin
No programmatic permission activation is available; apps can only guide merchants with instructions or links
Important clarifications:
Even apps only readingpublished_at or published_scope via REST need write_publications when migrating to GraphQL, as the publishablePublish mutation inherently requires write access
During the transition period (between form submission and Friday backfill), new customer installations won’t have the required scope until permissions are granted
Apps already having both read_publications and write_publications permissions only need to verify availability across all store installations
Summarized with AI on November 2.
AI used: claude-sonnet-4-5-20250929.
I have a question regarding the migration process and the new write_publications permission requirements. Based on your email, we understand that:
Apps using the REST API to read/write published_at/published_scope must transition to GraphQL and use the publishablePublish mutation.
This transition requires the write_publications permission, which must be requested via the provided form.
Permissions are backfilled every Friday after submitting the form.
If I submit the form today and permissions are granted on Friday, what happens to customers connecting to my app between today and Friday? My app does not currently require this scope when using the REST API. Will those customers experience any issues during this transition period, or will the app continue functioning as expected?
Your app will continue functioning as expected during the transition if it currently uses the REST API and doesn’t require the write_publications scope. The REST API will still honour existing scopes until the migration deadline. However, once your app starts using the GraphQL publishablePublish mutation, the write_publications scope will be required, and you must have this permission for your app to function correctly.
Requesting permissions:
The email specifies that you must first update your app to request the write_publications scope before submitting the form. This ensures that the scope is included in the OAuth flow for new installs.
For existing installations, Shopify will backfill the requested permissions after you submit the form. Until the permissions are backfilled, those installations won’t have access to write_publications.
Merchants will need to review and approve the new permissions in their admin. Shopify’s process requires them to manually review permissions since these involve sensitive actions.
Programmatic activation of permissions:
Shopify does not allow apps to programmatically enable permissions on behalf of merchants. Merchants must manually grant these permissions via their admin interface. Your app can guide them with instructions or provide a UI element with a link to the Shopify admin permissions page, but they must take action themselves.
Specific Scenarios:1. Apps reading but not writing via REST:
Even if your app only reads published_at or published_scope via REST, the transition to GraphQL requires requesting write_publications. This is because the publishablePublish mutation inherently requires write access to manage publications, regardless of whether your app writes to those fields.
If permissions are already granted:
If your app already has read_publications and write_publications permissions and is using publishablePublish, there’s no further action required aside from verifying that the permissions are available for all stores where your app is installed.