Access scope to access StaffMember Id with public apps

GraphQL Admin API Troubleshooting
1

Currently the StaffMember data cannot be accessed by public applications as the read_users scope can only be provided to private applications installed for Shopify plus or advanced customers. Would it be possible to provide access to the StaffMember id for public applications via the read_users scope or a new read_user_id scope? This would allow public applications to at least link other GraphQL entities like order and refund to a user id which the Shopify plus or advanced merchant can then identify via a separate private applications. This would avoid the requirements applications to have duplicate public and private versions without compromising on access to private data.

Also the StaffMember data can be accessed by “finance embedded app”. Could you please elaborate on how an application qualifies as finance embedded and what that means?

2

Hi Mathieu,

the StaffMember data cannot be accessed by public applications as the read_users scope can only be provided to private applications installed for Shopify plus or advanced customers

Is this the cause of the issue you saw here: Access to StaffMemberPrivateData

3

@Mathieu_Nunez

Are you aware of Online Access Tokens?

These tokens are issued to individual staff members that use your app. You can exchange your app’s Session Token with an online access token.

The online access token contains the staff members ID, name, and other details.

I’m not aware of another Admin GraphQL query that allows accessing all staff members, but this method doesn’t require any additional scopes.

I’ve used it in the past to create permissions for my apps so only specific staff members are allowed to see/perform certain actions in my apps.

4

@Dylan this won’t help in this scenario as our app is downloading data to store and make it available for reporting to the merchant.

5

@Liam-Shopify no this is a separate issue. For the one you are referring to this is access with a private token and read_users scope. In the scenario I describe here we are using the public access token.