Why am I encountering webhooks issues in my staging environment?

Shopify Apps
,

Topic summary

Issue: A Shopify app could create, disable, and re-enable webhooks in one test environment, but in Staging re-enabling failed with the error that orders/paid is a protected topic containing customer data. Scopes were identical across environments, and the app used Admin REST API calls.

Cause: For protected topics (e.g., orders/paid), Shopify requires apps to declare access to “sensitive customer data” in the app’s Partner Dashboard setup. Matching OAuth scopes alone is insufficient if sensitive data access isn’t specified. Webhooks are automated notifications, and orders/paid may expose customer payment-related data.

Resolution: In the app’s Partner Dashboard → App setup, specify the sensitive customer data the app needs (setting is at the bottom of the section). After doing so, the webhook can be re-enabled.

Outcome: The original poster confirmed this solved the Staging issue; another participant reported the same problem and thanked for the solution.

Status: Resolved. Key takeaway: Ensure sensitive customer data access is configured per app environment in addition to scopes when working with protected webhook topics.

Summarized with AI on January 28. AI used: gpt-5.
1

We have created a shopify app that creates a few webhooks on stores that install it, the user can also disable and reenable these webhooks.

We also have a few test environments: When testing on the first environment the webhooks are created, disabled and re-enabled all as expected. But on the ‘Staging’ environment, when the user tries to re-enable the webhooks we get this error:

“You do not have permission to create webhooks with orders/paid topic. This topic contains protected customer data. See https://shopify.dev/apps/store/data-protection for more details.”

The scopes on each app environment are the same. Which is why im scratching my head with this one. Does anyone know what could potentially cause this issue?

**The re-enable / disable webhooks is done using the admin rest api calls.

2

I have solved this, writing this comment for anyone else that comes across this issue.

Within the appsetup section for the app on the partner dashboard at the bottom you need to specify what ‘sensitive customer data’ you require as part of your app.

1 Like
3

I have the same problem as you. Thanks for your solution