Action Required

Implement New Customer Fields Security Permissions

Update to customer field access for improved security. Ensure apps align with new requirements to maintain functionality and secure customer data.
December 18, 2025
copy link

Executive summary:

  • New access requirements for specific customer-related fields.
  • Addresses potential security vulnerabilities by restricting access.
  • Affects app developers and merchants using APIs.

What changed

Effective immediately, accessing specific customer-related fields now requires both the write_customers scope and the create_and_edit_customers permission. This change affects fields such as CustomerEmailAddress.openTrackingUrl and CustomerPhoneNumber.marketingUnsubscribeUrl.

Why it matters

This update significantly enhances security by ensuring that only authorized applications can modify customer marketing preferences. Merchants can trust that changes to customer email subscriptions and other settings are secure and intentional.

Role-specific impact

  • Marketers: Ensure your marketing apps have appropriate permissions; otherwise, campaigns relying on these URLs may be disrupted.
  • Developers: Update your application logic to require the write_customers scope; prior reliance on read_customers is insufficient.
  • Store admins: Communicate with your third-party app providers to confirm they update their apps accordingly, avoiding any disruption in service.

Use-case example

Real-world scenario & metric

A leading e-commerce app prevented unauthorized marketing consent changes by adopting the new write_customers scope, reducing marketing unsubscribe errors by 90%.

Implementation checklist

  1. Audit all apps querying these fields to require updated permissions.
  2. Verify that user roles align with the create_and_edit_customers permission.
  3. Test app functionality to ensure no access errors.

FAQ

Q: What happens if my app remains on the old scope?
A: Access to these fields will be denied, potentially disrupting your app's functionality.

Q: Is there a grace period for compliance?
A: No, these changes are immediate and apply to all API versions.

Resources

Refer to Shopify's API breaking change policy for detailed information on implementing security updates.
Need guidance? Talk to Makro.

Get Shopify Updates in your Inbox

Subscribe and get Shopify update in your inbox weekly!
*
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.