Order's API order_status_url page asking for authentication

Retired Boards Appdev Customers Discounts And Orders
,

Topic summary

Order status links obtained via the admin API (order_status_url) began prompting customers to log in, whereas previously the URL with authenticate?key opened details directly. Reports indicate this affects both regular and draft orders, and passing email/order_number in the URL no longer auto-forwards.

A recent platform change was cited: access to the order_statuspageurl field now requires Level 2 protected customer data permissions (L2). Separately, the order status page itself now enforces authentication based on customer context and timing.

Expected behavior per Shopify docs:

  • From email/SMS notifications, customers can view without logging in for 3 weeks on the same browser.
  • Across different browsers, access is allowed for 2 weeks, up to 5 browsers.
  • When authentication is required, customers must log in or provide two credentials: order number and the checkout email or phone.

Requests were made for pre-auth/one-click links or an admin toggle to disable authentication; no such option was provided. One message suggested the issue was “fixed,” but subsequent posts reported it persists, including with Multipass users.

Status: Intentional change and working as designed; documentation and changelog links were provided. No workaround to bypass authentication was confirmed.

Summarized with AI on December 27. AI used: gpt-5.
1

Hi Team!

We are using using get order admin API to fetch order_status_url and sending it to user on our communication channel. Seems like since last 1 day all order_status_url are asking for login to users. I don’t see any announcement/change logs for the same.

Is there way to get pre-auth URLs.

Although the order_status_url follows following pattern and already has authentication key so shouldn’t be asking to login,
https://<store_domain>//orders/<some_uid>/authenticate?key=

Thanks!

8 Likes
2

Hi Pratikvii,

Is this for draft orders, or regular orders?

3

Hi @Liam

Thanks for your reply.

i understand about the scope and i am getting the order status url in order response. The problem is after opening order status url, which is asking user for login. That was not that case till now. It would open all order details by default.

Thanks!

4

There was a recent change related to this - do you have L2 access to protected data?

5

Yes, all PII details of user are coming in response.

6

From looking into this, it does appear to be an intentional change to the behaviour of the order status page, digging into this a bit more with our internal teams.

7

Following along here. I’m having the same issue.

1 Like
8

Me too, same issue..

1 Like
9

Hi @Liam ,

Any update on this matter? We also have this issue with the Draft Orders API.

The links you posted regarding the recent change and L2 access to protected data lead to nowhere.

1 Like
10

Same issue. How could we let them login with one click? The page for examples takes parameters like email and order_number and can prefill the values, but it does not forward it after the order_status_url link.

1 Like
11

Hey @Liam ! any update on this?

1 Like
12

Is there any update on this yet?

13

I’m facing the same issue. I’d like the ability to view the order status page without requiring the user to log in. It would be beneficial to have an option in the Shopify admin to enable or disable authentication. Alternatively, allowing access to the full page information by adding details to the URL (client’s email address + order number) would be a great solution. I’ve also contacted Shopify Plus support about this. @Liam , have you had a chance to look into this? It’s quite urgent. Many thanks

14

Looks like this is fixed

1 Like
15

Hello,

I’m currently facing the same issue.

And my user is logged through multipass and in a checkout page, we can see that he is authenticated.

Do you have information?

16

Hey @TsaNooz ,

Just looking over our documentation here, this would be expected behaviour depending on the customers authentication status.

To ensure the security of customer information when accessing the order status page from an email or SMS order notification, a login requirement is enforced depending on how and when the customer accesses the order status page. Customers can access their order status page from their order confirmation email for 3 weeks without logging in, when using the same browser. When using different browsers, customers can access their order status page for 2 weeks without logging in, across a maximum of 5 different browsers.> > When logging in is required, customers need to either log in to their customer account or provide two credentials to access the page:> > - The order number (which can be retrieved from their order confirmation email or SMS receipt)> - The email address or phone number used during checkout

This document here also goes in to more detail on the different order status page authentication states and expectations when directing customers there through your app:

https://shopify.dev/docs/apps/build/customer-accounts/order-status-page#authentication-states

This is the changelog post here from when this requirement changed: https://shopify.dev/changelog/level-2-protected-customer-data-requirements-are-now-needed-to-access-the-order-statuspageurl-field

Hope that helps,

  • Kyle G.