Yes, all PII details of user are coming in response.
Topic summary
Order status links obtained via the admin API (order_status_url) began prompting customers to log in, whereas previously the URL with authenticate?key opened details directly. Reports indicate this affects both regular and draft orders, and passing email/order_number in the URL no longer auto-forwards.
A recent platform change was cited: access to the order_statuspageurl field now requires Level 2 protected customer data permissions (L2). Separately, the order status page itself now enforces authentication based on customer context and timing.
Expected behavior per Shopify docs:
- From email/SMS notifications, customers can view without logging in for 3 weeks on the same browser.
- Across different browsers, access is allowed for 2 weeks, up to 5 browsers.
- When authentication is required, customers must log in or provide two credentials: order number and the checkout email or phone.
Requests were made for pre-auth/one-click links or an admin toggle to disable authentication; no such option was provided. One message suggested the issue was “fixed,” but subsequent posts reported it persists, including with Multipass users.
Status: Intentional change and working as designed; documentation and changelog links were provided. No workaround to bypass authentication was confirmed.