Scopes
Apps request a set of scopes at install time. Each scope grants access to a group of/api/v1/* endpoints. The platform enforces scopes server-side on
every API call against the installation’s granted scopes — a request for
an endpoint outside the app’s granted scopes returns 403.
Scopes are passed as a comma-separated list on
/apps/oauth/authorize and returned
space-delimited in the scope field of the
token response. There are 37 scopes.
Reads and writes are separate.
write_* does not imply read_* —
request both if you need to read and write the same resource.Available scopes
| Scope | Grants |
|---|---|
read_shop | View shop information |
write_shop | Modify shop information |
read_products | View products and variants |
write_products | Create, update, and delete products |
read_collections | View collections |
write_collections | Create, update, and delete collections |
read_orders | View orders, transactions, and refunds |
write_orders | Create, update, and cancel orders |
read_fulfillments | View fulfillments and shipments |
write_fulfillments | Create and update fulfillments |
read_customers | View customers and their addresses |
write_customers | Create, update, and delete customers |
read_inventory | View inventory levels |
write_inventory | Adjust inventory levels |
read_metafields | View metafields on resources |
write_metafields | Create, update, and delete metafields |
read_discounts | View discount codes and price rules |
write_discounts | Create, update, and delete discount codes |
read_content | View blog posts, articles, and pages |
write_content | Create, update, and delete blog content |
read_shipping | View shipping zones and rates |
write_shipping | Create, update, and delete shipping configuration |
read_gift_cards | View gift cards |
write_gift_cards | Create, update, and disable gift cards |
read_themes | View installed themes and theme files |
write_themes | Upload and modify theme files |
read_files | View files uploaded to the store asset library |
write_files | Upload and delete files in the store asset library |
read_billing | View store billing, subscriptions, and invoices |
write_billing | Manage store billing settings |
read_analytics | View store analytics, reports, and dashboards |
read_settings | View store settings (shipping, payments, taxes) |
write_settings | Modify store settings |
read_marketing | View marketing campaigns and automations |
write_marketing | Create and manage marketing campaigns |
read_email_templates | View transactional email templates |
write_email_templates | Create and modify transactional email templates |
read_analytics is read-only — there is no write_analytics scope.Scopes for common tasks
Webhook subscription endpoints
(
POST /api/v1/webhooks.json) are
gated by read_shop — there is no dedicated webhook scope.Embedded admin access via
session tokens is authenticated by the
HS256 session-token JWT, not an OAuth scope. No scope is required to
request a session token.
The asset library is governed by
read_files / write_files. The App
Bridge resource picker File type runs in the
admin host context.Validation
Requested scopes are validated against the app’s registered scope set at authorize time. An unknown or unregistered scope returns:See also
- Authorize — start the OAuth flow with a scope list.
- Token — exchange the code; the response echoes granted scopes.
- Authentication — full OAuth walkthrough.