Issue with Accessing Order Object in Shopify App Despite Correct Scopes

Shopify Apps

Topic summary

A developer encountered a “This app is not approved to access the Order object” error when querying Shopify orders via GraphQL, despite having correct scopes configured (edit orders, 60-day order access, view discounts). The issue occurred only when making requests from a UI Extension to the Remix backend, not in local development.

Key Details:

  • Query included standard order fields plus metafields from a custom namespace
  • Scopes were properly set in environment variables and shopify.app.toml
  • Order was within the 60-day permission window

Attempted Solutions:

  • Adding products scope (unsuccessful)
  • Updating scopes in configuration file

Working Solution:
The issue was resolved by changing the app’s distribution type from Public to Custom distribution. Orders contain protected customer data that’s restricted for Public apps, causing API requests to be rejected. After declaring the app as Custom, order data access worked correctly.

The original poster initially worked around the issue by avoiding UI Extension-to-backend requests, but the distribution type change proved to be the proper fix.

Summarized with AI on October 30. AI used: claude-sonnet-4-5-20250929.
1

Hello Shopify Community,

I’m developing a Shopify app and have encountered an issue when attempting to access order information via GraphQL. Despite having the necessary permissions set for my app, I’m receiving the following error when executing my query:

GraphqlQueryError: This app is not approved to access the Order object. See https://partners.shopify.com/[redacted]/apps/[redacted]/customer_data for more details.

Permissions Granted:

  • Edit orders
  • All order details for the last 60 days
  • View and Sync Discounts

The order I’m trying to access is only 20 days old, so it falls within the permitted range. Below is the GraphQL query I’m using:

query getOrder($id: ID!) {
  order(id: $id) {
    id,
    currencyCode,
    presentmentCurrencyCode,
    totalTaxSet {
      presentmentMoney {
        amount,
        currencyCode
      }
    },
    totalPriceSet {
      presentmentMoney {
        amount,
        currencyCode
      }
    },
    name,
    netPaymentSet {
      presentmentMoney {
        amount,
        currencyCode
      }
    },
    requiresShipping,
    restockable,
    shippingLine {
      discountedPriceSet {
        presentmentMoney {
          amount,
          currencyCode
        }
      }
    },
    metafields(first: 1, namespace: "$app:redacted-name") {
      nodes {
        namespace,
        id,
        value,
        key
      }
    }
  }
}

I’m concerned that part of my query might be accessing data considered sensitive by Shopify, but I’m not sure which part could be causing the issue. The query includes many fields, but none of these seem to directly access sensitive customer data.

The app also has the following permission details with respect to the store context it is installed in:

![Oldfire_0-1708292761506.png|629x422](upload://ftvMKMhKFX98RVxspUSPe1OreZe.png)

Also, I have tested this scope with a local tunneled app and did not have this issue. The scopes env vars are also correctly passed to the environment:

![Oldfire_1-1708292989188.png|1361x797](upload://uXLsjVNFYgMnfMKLwYhU8D36enk.png)

(I attempted to check if products scope was missing, but that did not solve the issue.)

Additional context:
Remix app, a loader at a route URL serving fetch for a block extension

const { admin, cors } = await authenticate.admin(request);

Request is done with admin.graphql and works wonderfully in a local environment with identical permissions.

Questions:

  1. Is there any part of my query that’s known to require additional permissions or is considered sensitive?
  2. Has anyone experienced a similar issue and found a workaround or solution?
  3. Are there best practices or documentation that I might have overlooked regarding accessing order information with GraphQL in Shopify?

Any guidance, suggestions, or references to documentation would be greatly appreciated. Thank you in advance for your help!

2

Is this perhaps because of the metafield that relates to the single order? https://shopify.dev/docs/apps/store/data-protection/protected-customer-data

3

Find the shopify.app.toml file in code and update the scopes = “write_products, read_themes, read_orders, write_orders”

May be this will solve your issue.

Brain Station 23 PLC

  • Was my reply helpful? Click Like to let me know!
  • Was your question answered? Mark it as an Accepted Solution
4

What would be the idea behind the read_themes scope?

5

If anyone comes here to look for a solution, then I can say I didn’t find the most ideal solution here, but I found a fix that works for now.

Because this error only happened when I made a request from an UI Extension to the Remix backend, I simply stopped making these requests.

6

Just ran into the same error while working on a custom app. Turned out it was because I hadn’t yet chosen Custom distribution for the app. Orders include protected customer data which is restricted for Public apps. API requests for order data were being rejected until declaring the app as Custom and not Public.

2 Likes
7

This fixed it for me! Thanks