Skip to main content

Scopes

Apps request a set of scopes at install time. Each scope grants access to a group of /api/v1/* endpoints. The platform enforces scopes server-side on every API call against the installation’s granted scopes — a request for an endpoint outside the app’s granted scopes returns 403. Scopes are passed as a comma-separated list on /apps/oauth/authorize and returned space-delimited in the scope field of the token response. There are 37 scopes.
Reads and writes are separate. write_* does not imply read_* — request both if you need to read and write the same resource.

Available scopes

ScopeGrants
read_shopView shop information
write_shopModify shop information
read_productsView products and variants
write_productsCreate, update, and delete products
read_collectionsView collections
write_collectionsCreate, update, and delete collections
read_ordersView orders, transactions, and refunds
write_ordersCreate, update, and cancel orders
read_fulfillmentsView fulfillments and shipments
write_fulfillmentsCreate and update fulfillments
read_customersView customers and their addresses
write_customersCreate, update, and delete customers
read_inventoryView inventory levels
write_inventoryAdjust inventory levels
read_metafieldsView metafields on resources
write_metafieldsCreate, update, and delete metafields
read_discountsView discount codes and price rules
write_discountsCreate, update, and delete discount codes
read_contentView blog posts, articles, and pages
write_contentCreate, update, and delete blog content
read_shippingView shipping zones and rates
write_shippingCreate, update, and delete shipping configuration
read_gift_cardsView gift cards
write_gift_cardsCreate, update, and disable gift cards
read_themesView installed themes and theme files
write_themesUpload and modify theme files
read_filesView files uploaded to the store asset library
write_filesUpload and delete files in the store asset library
read_billingView store billing, subscriptions, and invoices
write_billingManage store billing settings
read_analyticsView store analytics, reports, and dashboards
read_settingsView store settings (shipping, payments, taxes)
write_settingsModify store settings
read_marketingView marketing campaigns and automations
write_marketingCreate and manage marketing campaigns
read_email_templatesView transactional email templates
write_email_templatesCreate and modify transactional email templates
read_analytics is read-only — there is no write_analytics scope.

Scopes for common tasks

Registering webhooks
read_shop
Webhook subscription endpoints (POST /api/v1/webhooks.json) are gated by read_shop — there is no dedicated webhook scope.
Embedded app / session tokens
(no scope)
Embedded admin access via session tokens is authenticated by the HS256 session-token JWT, not an OAuth scope. No scope is required to request a session token.
Media / file picker
read_files / write_files
The asset library is governed by read_files / write_files. The App Bridge resource picker File type runs in the admin host context.

Validation

Requested scopes are validated against the app’s registered scope set at authorize time. An unknown or unregistered scope returns:

See also

  • Authorize — start the OAuth flow with a scope list.
  • Token — exchange the code; the response echoes granted scopes.
  • Authentication — full OAuth walkthrough.