Order Risk REST API to GraphQL migration

Retired Boards Appdev Graphql Basics And Troubleshooting

Topic summary

Migration from Order Risk REST API to OrderRiskAssessment GraphQL API, seeking 1:1 field/function equivalences and decision logic clarity.

Key questions:

  • RiskFact.description vs REST message: RiskFact.description appears to describe specific fraud indicators, not a single overall risk message. Guidance requested on how to produce an equivalent overall message in GraphQL.
  • Mapping REST score to GraphQL riskLevel: Request for an official reference mapping numeric score (REST) to categorical riskLevel (LOW, MEDIUM, HIGH, NONE).
  • merchant_message in REST: With no recommended GraphQL replacement, can merchant_message be treated as equivalent to message, or is there a different field/approach?
  • Recommendation derivation: Assumption that OrderRiskSummary.recommendation comes from the assessment with the highest riskLevel (LOW→ACCEPT, MEDIUM→INVESTIGATE, HIGH→CANCEL, NONE→NONE). Confirmation requested that scoring by highest riskLevel matches recommendation outcomes.

Context notes:

  • riskLevel is a categorical fraud risk rating; recommendation is the suggested action; RiskFact.description describes underlying fraud indicators.

Status: Follow-up posted; no official answers yet. Discussion remains open with multiple unresolved mappings and behavior confirmations.

Summarized with AI on December 17. AI used: gpt-5.
1

Hey Shopify team,

During our migration from the Order Risk REST API to the OrderRiskAssessment GraphQL API, we are encountering the following challenges.

  • The recommended field that replaces message field in Order Risk REST API is RiskFact.description. However, it seems that this field only provides descriptions of the indicators used in the fraud analysis, rather than an overall message related to the risk like the message field. Could you provide some insight on how we can use the RiskFact.description to get an equivalent of the message field?
  • Is there any official reference for what score (from Order Risk REST API) should be mapped to each riskLevel?
  • Since there is no recommended replacement for merchant_message in the Order Risk REST API, can we assume it will always be equivalent to the message field?
2

Following up on this!

3

I have one more query,
My understanding is that the OrderRiskSummary.recommendation is determined by the OrderRiskAssessment with the highest riskLevel, as follows:
ACCEPT: LOW
INVESTIGATE: MEDIUM
CANCEL: HIGH
NONE: NONE
Is this accurate? If we score based on the highest riskLevel from the assessment, will it match if we base the score on recommendation?