Clarification on "Protected Customer Data Access" for non-PII order data

Integrations_System · August 11, 2025, 2:06pm

Hello everyone,

I’m working on a custom app and have a question regarding API access for order information.

My app needs to retrieve basic order details, specifically the product name, quantity, and date. To do this, I’m using the orders.json endpoint with the following scopes:

'read_orders,read_inventory,read_locations,read_products'

When I make the API call, I receive the following error:

{ "errors": "[API] This app is not approved to access REST endpoints with protected customer data. See https://shopify.dev/docs/apps/launch/protected-customer-data for more details." }

I understand that this error is due to the presence of Protected Customer Data in the order object. I can resolve the error by requesting and receiving “Protected Customer Data Access” in the Partner Dashboard.

My question is this: Is it possible to access non-PII order data like line items (product name, quantity) without needing the “Protected Customer Data Access” approval?

I’m trying to avoid the merchant-facing message that appears during installation, as my app does not need to use or store any sensitive customer information like names, emails, or addresses.

Any guidance on whether this is the intended behavior or if there are alternative endpoints or methods would be greatly appreciated.

Dylan · August 11, 2025, 2:37pm

REST API endpoints will return all data by default.

Shopify is moving to GraphQL, which by default limits the data being accessed. In general I highly recommend using GraphQL instead, eventually the REST API will be phased out.

Alternatively, you might be able to filter your REST API request to only include these non-PII fields and get around the issue.

Alan_G · August 12, 2025, 7:09pm

Hey @Integrations_System, just following up here to +1 what @Dylan mentioned and to add a bit of extra context.

Per our docs here any order info, even if it’s not customer-specific is considered protected customer information.

That said, if you were just querying line items, product names etc, you should be able to request Level 1 access and access non-personal info like order line items, products, etc.

We do recommend moving to GraphQL as soon as possible, since like Dylan said our REST API is current considered a “legacy API”. It is available for now, but we aren’t currently adding new features to with our focus being on GraphQL.

Hope this clarifies things, let me know if I can help out further at all!

Integrations_System · August 12, 2025, 7:21pm

Thank you @Alan_G and @Dylan . This is very useful information. We will move off the REST API here soon.

Topic		Replies	Views
No customer data in received order via API Products and Orders APIs admin-api-orders	1	269	January 7, 2025
Struggling to fetch order data despite having proper scopes GraphQL Admin API Troubleshooting general-gql-troubles	3	23	July 16, 2025
Through the Rest API, there is an exception when requesting customer and order information Partner Discussions app-store	2	37	April 7, 2025
Bug Report: Cannot Request Protected Customer Data Access in New Dev Dashboard Authentication & Access oauth , access-scopes	9	126	June 13, 2025
Data protection & order customer data access Partner Discussions app-store	3	28	June 5, 2025

Clarification on "Protected Customer Data Access" for non-PII order data

Related topics