Order's Webhooks Not Being Received using Amazon EventBridge since 2022-10

Technical Q&A

Topic summary

A developer is troubleshooting webhook delivery issues with their Shopify partner app using Amazon EventBridge.

The Problem:

  • App receives both ORDERS_UPDATES and PRODUCTS_UPDATE webhooks successfully on API versions 2022-07 and 2022-04
  • Since upgrading to API version 2022-10, only product webhooks are received—order webhooks stopped working
  • AWS SQS queue confirms this selective delivery pattern

Configuration Details:

  • App has read_orders permission among others
  • EventBridge webhooks are properly configured for both topics
  • API version is set to 2022-10 for the order webhook subscription

Resolution:
The developer identified the root cause: missing “Protected customer data access” approval in the App Setup section. Starting with API version 2022-10, Shopify requires explicit protected customer data access for order webhooks, even for draft/unlisted apps. Enabling this setting should restore order webhook delivery.

Summarized with AI on November 19. AI used: claude-sonnet-4-5-20250929.
1

We have a partner app (public app in draft mode) with Amazon EventBridge configured.

The app is subscribed to the ORDERS_UPDATES and PRODUCTS_UPDATE topics.

AWS SQS receives orders and products webhooks when the Event subscriptions version is set to either 2022-07 or 2022-04.

Since 2022-10, only product web hooks are being received. What could be the cause?

The app’s permissions:

    "read_themes",
    "read_customers",
    "read_translations",
    "read_orders",
    "read_locales",
    "read_markets",
    "write_products",
    "read_products"

The result of “admin/api/2022-10/webhooks.json” query:

{
            "id": .................,
            "address": "arn:aws:events:.................",
            "topic": "orders/updated",
            "created_at": "2023-06-13T15:04:32-04:00",
            "updated_at": "2023-06-13T15:04:32-04:00",
            "format": "json",
            "fields": [],
            "metafield_namespaces": [],
            "api_version": "2022-10",
            "private_metafield_namespaces": []
        },
        {
            "id": ...............,
            "address": "arn:aws:events:.........................",
            "topic": "products/update",
            "created_at": "2023-06-12T08:11:18-04:00",
            "updated_at": "2023-06-12T08:11:18-04:00",
            "format": "json",
            "fields": [
                "admin_graphql_api_id",
                "tags",
                "product_type",
                "vendor",
                "handle",
                "status",
                "options",
                "published_at",
                "image",
                "title",
                "updated_at",
                "variants",
                "images",
                "created_at",
                "id",
                "published_scope",
                "template_suffix"
            ],
            "metafield_namespaces": [],
            "api_version": "2022-10",
            "private_metafield_namespaces": []
        },
2

I forgot about “Protected customer data access” in the App Setup section.

The draft status of this request allows the usage the order webhooks since 2022-10 (for unlisted apps, of course).

https://shopify.dev/docs/apps/store/data-protection/protected-customer-data