New Shopify Certification now available: Liquid Storefronts for Theme Developers

Stuck trying to get customer metafields with api

6 0 1

I've been on this for almost 2 days and got basically nowhere. My end goal is to be able to read and update customer metafield data. The customer will need to be able to update this data in their account too. 

But for now I just want to figure out how to make a working admin API call. The docs say it has to be authenticated to use the admin API. So I made a private app with customer read/write permissions and stuck the password in as the access token like it says here. But it still fails. The response is some sort of login page instead of JSON. So I'm assuming something is wrong with how I am doing authentication.

I am logged in as a customer while testing. This is a custom theme/site. Not an app.


    url: '/admin/api/2020-04/customer/' + {{}} + '/metafields.json',
    type: 'GET',
    beforeSend: function(xhr){
     	xhr.setRequestHeader('X-Shopify-Access-Token', 'my private app password');
    success: function(result){
    error: function(xhr, status, error){
console.log('status', status);
console.log('error', error);
}, dataType: "json" });


Replies 4 (4)
Shopify Expert
11159 222 2274

Why are you making this an AJAX call? The fact that it's jQuery makes me rather nervous and would suggest that this call is being made on the front end, exposing the key details to anyone that looks. That's really scary given that I could view and edit all your customers with those details.

Since it is a browser based call you'll be sending cookies in that request. The change request with cookies present will be blocked since it poses a security risk.

★ I jump on these forums in my free time to help and share some insights. Not looking to be hired, and not looking for work. ★
6 0 1

Thanks, I know but I just can't figure out what the alternative is supposed to be.  Whenever I try to search for a solution I just keep finding responses like that saying what NOT to do, but not what TO do. I'm currently trying AJAX because that's all I know to do.  But it's not working anyway which is why I'm posting here. If I need to be doing something else, please tell me what because I'm not finding anything specific in the docs or google. There is a gap between what I know and what the docs assume I know. I am not a new dev, but this is my first Shopify build.

For some more background, the site has a giant form that customers fill out for their pet(s).  It's sort of a product recommendation thing and also just general profile info. So customers need to have attached/associated data for each of their pets.  I can add metafields (via an app I installed) to hold the data, but accessing and updating that data is proving difficult.

My thinking was to save data from the form into the customer's metafields, which requires using the admin API as far as I can figure out.  (Also they are supposed to be able to somehow save the form to come back later and finish it. And I believe will need to be able to modify the data in their account. )

All I know is that I need to somehow update the data here: /admin/api/2020-04/customer/[customer id]/metafields.json

So no AJAX, ok. And I assume no XMLHttpRequest either. Somehow in liquid?  Or do I have to go down the rabbit hole of learning the six tools required to make an app and go that route? Maybe there's a way to do what I need without the API at all. I just don't know.  If you could point me in the right direction would be really helpful.

6 0 1

And even though AJAX is bad and unsecure, shouldn't it still work if I do the authentication correctly? It's responding with an error and a login page. If I can get AJAX working I can at least work on the basic functionality, test GET and PUT, etc and then move it out of AJAX into ... whatever, later.  This site is currently not live so I am not so concerned about security at this point.

Shopify Partner
1033 86 282

Based on what I recall for a few private apps I've created, they have an associated API key and API secret, as installed in the Shopify shop. You can check here, drilling into the private app you need to look at, in order to determine the API key and API secret --> https://{shop_where_private_app_is_installed}

Once you have the API key and API secret, then you can include them in the URL, such as this --> https://{api_key}:{api_secret}@{shop_where_private_app_is_installed}

You don't need that header value. And ensure you have Content-Type set to application/json. Then you should have a decent enough start 🙂

Long term, try not to expose too much data client-side through Javascript and whatnot. Liquid can hide some of this for you to a degree.