Feature Request: 🍑 Allow `shopify app execute` mutations on production stores with opt-in flag

I have reproduced the issue on the latest CLI version.

Yes, I am on the latest version

I have searched existing posts and this report is not a duplicate.

Yes, this isn’t a duplicate

In which of these areas are you experiencing a problem?

App

Expected behavior

Context — What I’m trying to do

I have a custom app (claude-code-api) installed on my production store via Settings → Apps → Develop apps. The app has full scopes for product and inventory management (write_products, write_inventory, write_publications, etc.).

I use a Python script that automates catalogue management on my store:

• Upload product images via staged uploads
• Create products with variants, pricing, and media
• Set inventory levels at a specific location
• Publish products to the online store sales channel

The script currently handles OAuth (client credentials grant), GraphQL requests, and API versioning manually. I want to replace that boilerplate with shopify app execute, which already handles auth and versioning — making my script a thin orchestrator instead of a hand-rolled API client.

Expected Behaviour

shopify app execute should support an opt-in flag (e.g. --allow-live, mirroring shopify theme push --allow-live) that permits mutations on production stores where the app is already installed with the required scopes.

Example:

shopify app execute --store my-store.myshopify.com --allow-live \
  --query 'mutation productCreate($input: ProductCreateInput!) { productCreate(product: $input) { product { id } } }' \
  --variables '{"input": {"title": "New Product"}}'

The app’s scopes already govern what it can and can’t do. The store owner has explicitly installed the app and granted those scopes. An --allow-live flag would respect that existing trust while preventing accidental production writes.

Actual behavior

Actual Behaviour

The CLI README states:

“Mutations are only allowed on dev stores.”

shopify app execute rejects all mutations on production stores regardless of app scopes or user intent. There is no override flag.

This forces developers to maintain their own OAuth and HTTP layers for production use — duplicating exactly what the CLI already does, just without the dev-store guard.

Why this matters

The CLI already solves auth, versioning, and request formatting. The dev-store restriction means anyone automating against a production store (catalogue management, inventory sync, bulk operations) cannot benefit from this. The gap is especially painful for solo developers and small merchants who use custom apps for legitimate store automation — not app distribution.

The precedent exists: shopify theme push --allow-live uses the same pattern — dangerous by default, opt-in when you mean it.

Reproduction steps

N/A but — I’m a product manager (ie not a professional engineer at all), and this is my first shopify experience. So if I am entirely missing a magical something that I should be doing rather than my script and rather than asking for the CLI to allow me to do this beyond a dev store, please I’d love the advice!

Verbose output

N/A (I was very verbose)

Operating system

Linux (WSL2) — 6.6.87.2-microsoft-standard-WSL2

CLI version

3.92.0

Shell

zsh

Nodejs version

v24.12.0

What language and version are you using in your application?

Python 3.14 (automation script using the Admin GraphQL API via the custom app’s client credentials)

Hi @Michelle,

Thank you very much for your detailed feedback, I will be sharing this internally on your behalf, with our Developers and Product Managers. While I can’t guarantee if this will be added, I can assure you that our internal teams do take all of our Partner and Merchant Developer feedback into great value when determining future features and updates to the platform.

Regarding the use of the command itself and the current limitation on dev stores. This limitation is in line with the recent changes that were made with how custom apps are created and authenticated on merchant stores, adding security for merchants by having all custom apps created through the Dev Dashboard and forcing authentication workflows like the Client Credential Grant, Authorization Code Grant, and Session Token Exchange workflows, additionally this does also prevent bad actors from skirting app distribution requirements.

I do agree however that these limitations does make it harder for solo devs and small merchants wanting to implement simple store automation without building and managing fully fleshed out apps.

In this case a workaround in the meantime could be that you utilize the Shopify Flow app for store automations, as most of the behaviour you’d want to automate via the API can also be done directly via Shopify Flow workflows as well, as most Shopify Flow actions are actually done via internal API calls, and there’s an additional Send API Request action in Shopify Flow that lets you call most API mutations directly within the workflow.

Here’s some documentation on Shopify Flow in case this helps:

• Shopify Help Center | Shopify Flow
• Shopify Help Center | Getting started with Shopify Flow
• Shopify Help Center | Actions in Shopify Flow
• Shopify Help Center | Send Admin API request
• Shopify Help Center | Preview API data used in Shopify Flow

Hello @Kellan-Shopify

Thank you for your reply. Please take my feedback with a grain of salt, as I am a beginner at Shopify. It’s just that I’m finding it difficult to use Claude Code to help me customise a shopify theme (and prototype it). Coming from Claude Code + Next.js + Convex where it’s easy, the journey here seems very bumpy.

This includes:

• The stunted CLI as per this thread
• The Cursor rules on https://github.com/Shopify/horizon that aren’t available in Claude Code format. Also, they spray (glob) further than they need to, so I manually narrow the scope too.
• The shopify-dev-mcp that seems to dump an instant 12.3k in my context window: “ Large MCP response (~12.3k tokens), this can fill up context quickly”. I just wish it didn’t.
• It would be great if running shopify theme check on https://themes.shopify.com/themes/dwell/presets/dwell would have a clean pass. But it doesn’t (2 errors, 23 warnings as of 13 March 2025)

In short I want: An easy way to work with Claude Code on customising a Shopify theme as well as helping me generate content. If the mountain of using Shopify in a headless state weren’t so daunting, I’d switch right over to Next.js. But the problem there is then my user cannot make little Editor edits. So I’m stick here hoping to find an easier way of developing with an AI agent than currently.

This limitation is in line with the recent changes that were made with how custom apps are created and authenticated on merchant stores

Forgive me Kellan as I’m truly not technical, so just a comment: If I can do all of this via Shopify APIs which I have to write a CLI for, then why is this more dangerous if I just used the Shopify CLI. I wish it wasn’t locked down.

I tried to attach my skills and script for your product manager, but I cannot. Basically, I give it a product image, it analyses it and writes alt text, searches against the store for other products to compare, figures out the category via query, writes product title and description against copy guidelines. Creates the product as DRAFT with “online store” as a channel (even though its in draft).

image1164×680 51.6 KB

I’ve heard of the AI mandate from Toby, and this is what gives me hope on Shopify. The fact that you have a CLI and MCP are great, that I can ask your dev docs questions too. The AI chatbot in the actual store needs work - more grounding in your current interface.

But beyond all this - I need the ability to customise a theme that is easier to agentically code - and this includes content/product creation.

Feel free to disregard this message if it is not useful. I may be going about things in the wrong way. I’m stumbling in the dark.

Hi @Michelle,

This message is definitely useful, all feedback is great especially feedback on new AI features our partner developers are using to help make development easier and more accessible for everyone. I will absolutely be passing all of this feedback on internally as well.

Regarding the Theme check errors, I may recommend posting a new thread specifically about that in the Online Store and Theme Development board, or you can reach out to our Support Team directly via the Shopify Help Center and our Developer Support team can help look into specific errors on individual themes with you directly.

Hello @Kellan-Shopify

Thank you for your reply, again (and your patience).

RE: Horizon Cursor Rules - trustable - Claude Code says no.

Now for another “I want to use AI for Shopify”, I’ve been looking at https://github.com/Shopify/horizon/tree/main/.cursor/rules as I thought “Great, they’ve done it for me as I’m sure LLMs don’t know much about Shopify code so I need those rules”.

I was about to port over all the rules (Horizon repo) into my Dwell theme repo. Then I checked accessibility rules in the Horzon repo against the Shopify Dwell Horizon theme. Again, no knowledge from my side - so I am stuck at asking Claude Code to do it.

It is best shown by a screenshot than me explaining. This is line 17 that I wrote in my “port-shopify-horizon-rules-to-claude-code-rules” skill:

*If the filename contains “accessibility” (e.g. `accordion-accessibility.mdc`, `modal-accessibility.mdc`), **skip it**. Tell the user: “Skipping — accessibility rules are not ported. This theme uses native HTML5 elements (``, ``, Liquid `image_tag`) that handle accessibility semantics natively, so these rules diverge from the codebase and would produce false positives.” Then stop.
*
Now incorporate into this instruction:

image859×815 46.3 KB

And then going through the five rules (plus 6 prior rules making a total of 11), the results were:

image736×493 15.4 KB

Again, I’m not technical enough to know if this is in fact valid and true.

Question: Are you able to tell me if I can trust all the Horizon rules, or not so much?

***

PS: clearly not in the right discussion forum here, but I thought I’d put it “all in one place” for your Product Manager et al.

Hi @Michelle,

I do apologize, though I would ask you to repost this question in the Online Store and Theme Development board in a new thread, as this is a separate topic from the original CLI question at this point.

I’m not super familiar with Theme Development myself, as I am a Back End Developer Support Specialist myself, and reposting this in the correct board will ensure one of our Front End Specialists or community members with more knowledge on this topic can help more efficiently. Also posting it in the correct board, will have the thread available and easier to find for others partner developers looking into this in the future as well.