Access denied for orders field - read_orders scope not applied despite approval

Franciscoaho · April 21, 2026, 8:12am

Hello Shopify community,

I’ve been stuck on this issue for over a week and would really appreciate help.

The error:
“Error: Access denied for orders field”

My setup:

Shopify App template (React Router + Prisma)
Development store
Using Shopify CLI with Cloudflare tunnel
Node.js on Windows

What I’ve already done:

Added read_orders to shopify.app.toml:
scopes = “read_products,read_orders,read_customers”
Requested Protected Customer Data access in Partners Dashboard
(Store management + App functionality selected)
Ran shopify app deploy multiple times
Uninstalled and reinstalled the app several times
Deleted sessions from the local database
Updated .env with SHOPIFY_APP_URL matching the current
Cloudflare URL
Verified SHOPIFY_API_KEY and SHOPIFY_API_SECRET are correct

The problem:
When I install the app on my development store, the permissions
screen only shows:

Store owner data
Edit products
Edit online store

It does NOT show read_orders in the permissions list, even though
it’s declared in my scopes.

After installation, when the app tries to query orders, it fails
with “Access denied for orders field”.

What I’m trying to build:
An app that automates Chilean tax document emission (boletas/facturas)
by reading Shopify orders and sending them to Bsale for invoicing.

Question:
Why is read_orders not being applied during install, and how can
I force Shopify to recognize the updated scopes?

Thanks in advance for any help.

Luke · April 21, 2026, 8:53am

Have you also requested read_all_orders?

Kellan-Shopify · April 21, 2026, 7:35pm

Hi @Franciscoaho,

If the access scopes are not being added during the installation, even though you added the scopes in the toml file, it’s likely due to the installation workflow your app is using.

With the Legacy Install Flow as described in the Authorization Code Grant Workflow, the access scopes are requested on install via the actual oauth/authorize HTTP Request parameters.

Where with the Shopify Managed Installation Flow, the access scopes requested on install are taken from the app’s toml file, or configuration in the Dev Dashboard.

You can see which method your app uses in the app’s configuration, either with use_legacy_install_flow: true in the app’s toml file, or in the app’s active version configuration displayed in the Dev Dashboard.

eg:

Here’s some relevant Shopify.dev documentation on everything I mentioned above:

Akshay_Bhatt · April 22, 2026, 4:23am

in the app dashboard you need to have api access request of protected customer data access needed

also with read_orders you will only able to access past 60 days orders

to get full access of orders you need this access

Topic		Replies	Views
Help!: 'Access denied for order field. Required access: ⁠ read_orders ⁠ access scope or ⁠ read_marketplace_orders ⁠ access scope.', Products and Orders APIs admin-api-orders	4	490	May 17, 2025
Shopify App Development: "Access denied for orders field" Error Resolution Request GraphQL Admin API Troubleshooting general-gql-troubles	3	437	June 11, 2025
My scopes is read-only but Shopify's app install window says "view and edit products". Why? Shopify App Store app-store	5	85	November 27, 2025
How to request additional OAuth scopes (read_orders) for only a few merchants in a public Shopify app? Dev Platform dev-dashboard	5	69	January 15, 2026
Read_all_orders scope in custom apps created in Admin Authentication & Access access-scopes	7	411	December 19, 2024

Access denied for orders field - read_orders scope not applied despite approval

Related topics