Does shopifyqlquery require Level 2 PCD access, how long to get that access?

My app is a public app currently live in the App Store. It uses shopifyqlquery on the Admin GraphQL API for aggregated store-level analytics and core functionality. The queries themselves never reference any customer-level fields. No names, addresses, phones, or emails, no PII of any kind. Just aggregated numeric metrics.

Despite that, calling shopifyqlquery on a store without Level 2 PCD approval returns:

“Access denied for shopifyqlQuery field. Required access: read_reports access scope. Also: Level 2 access to Customer data including name, address, phone, and email fields.”

And the official reference at https://shopify.dev/docs/api/admin-graphql/latest/queries/shopifyqlQuery repeats the same requirement.

A few questions I can’t get clear answers on from the docs alone:

1. Is this accurate? Is shopifyqlquery truly gated at the field level behind Level 2 PCD, meaning every app that calls this field (regardless of whether the specific query touches customer data) needs to go through the full Level 2 review? Or is there a configuration I’m missing where you can access shopifyqlquery with just read_reports if you explicitly don’t request customer fields?

2. What’s the typical review timeline for a Level 2 PCD request in the Partner Dashboard for a public app that’s already live in the App Store? Days? Weeks? I’ve read the PCD docs and guidelines but can’t find any official SLA or range. Trying to plan the communication to existing and incoming merchants appropriately.

3. If Level 2 is truly required, is there any alternative approach others have used to get aggregated store-level numeric metrics (not per-customer) without going through shopifyqlquery , e.g. paginated Order queries plus client-side aggregation, that avoids the L2 gate? I know Orders are also PCD-classified resources, but my read of the docs suggests read_orders alone is enough to query the Order object if you avoid the customer fields within it.

Hi @Marcos_B,

I can confirm that this is correct that the shopifyQlQuery GraphQL Admin API Query does require access to protected customer data, and that this is expected behaviour and was done by design by our development team.

This is because the checks for protected data access are done on the API level, and the actual ShopifyQL query itself is not done via the API. Meaning the shopifyQLQuery call triggers the internal ShopifyQL query, and returns the result in the single object ShopifyqlQueryResponse, rather than returning the results as individual data fields in the Admin API schema.

You are correct that the best workaround for this, would be to use the Orders Admin API query, since all the data returned from this query is in the Admin API Schema, and the protected customer data requirement is applied for each field requested.

For example, if you query order.id and order.created_at in a single GraphQL Admin API call with the orders query, it doesn’t require protected customer data access, but if you query order.customer.defaultEmailAddress it will require protected customer data access.

Regarding the review timeline, we are unable to provide any estimated timeframes for how long the review would take, though they are usually done pretty quickly, and if you just request the access you can use it immediately on a Development Store for testing, without needing to wait for the full review.

More info on the Protected Customer Data Request and Review process can be found here:

• Work with protected customer data

This makes almost impossible working with ShopifyQl or alright dangerous since I can’t think of any app that would need access to both customer data and non PII in ShopifyQl