Awesome, I’m very glad to hear I could help with your app development! I figured that you would have had the app configuration setup already as you were generating Admin API tokens outside of the extensions already, but I did want to share the documentation and information on it just in case it helps.
This thread is marked as solved currently, but if you do have any further questions or issues with this topic, please do reply here and I can definitely help look into it further. If you have any issues with a specific API call returning an error or anything, please do also provide the x-request-id from the HTTP Response Header for us to find the call in our logs internally.
Regarding the UI issue with the reaction icons, thank you for the report of this, I am replicating this as well myself, and I will be sharing this with our team internally to help look into further!
We’re a merchant, and tried to create a custom app via the dev dashboard (as per above) to pull some data for internal use and are getting the folowing error:
“message”: "Access denied for shopifyqlQuery field. Required access: read_reports access scope. Also: Level 2 access to Customer data including name, address, phone, and email fields. Please refer to protected customer data [requirements]
The scope read_reports is added, we have raised a support case with Shopify Plus support and they mentioned the app was created “unlisted”, although no further details how to make it a “custom app“
That said, merchant created custom apps in the dev dashboard are displayed as “unlisted” on our end, though they are still considered custom apps. This is due to the way these apps are created, and the fact that the app developer is not able to select a distribution method in the Dev Dashboard, either public or custom, unlike Partner account created apps.
Regarding the access scope issue, you can see if your app does have the read_reports scope on the app installation with the following query to see a list of access scopes on the current app installation on the store:
{
appInstallation {
accessScopes {
handle
}
}
}
If you do not see the read_reports scope listed, then you’ll need to add it to the app configuration, either by creating a new version in the Dev Dashboard with the updated scopes, or updating the app’s toml file and deploying the new version with the Shopify CLI shopify app deploy command
As for the “Level 2 Customer Data” error, this can be expected behaviour even with custom apps, depending on the store’s plan, as Level 2 PII Custom Data is not available for custom apps on Basic or Starter plans, only Grow plans and above
If either of the above information doesn’t explain the behaviour you’re seeing still, we will need you to reach out via the Shopify Help Center and discuss this with our Support Team further, as we would need to look into the store and app in an authenticated support interaction, which we are unable to do via the Community Forums.
@Kellan-Shopify For some of our clients, legacy integration systems are in place that cannot be adapted to use the Authorization Code Grant approach.
Wondering what your thoughts are on creating a new embedded app exclusively to generate a token for a separate integration? It would use the Shopify RR7 app template to execute an Authorization Code Grant, where the accessToken value from the Session would be leveraged the same way as the old Shopify Admin custom app token system. From reading through this thread, it seems that type of token does not expire, but wondering if there are other limitations we may not be aware of?
We need to be able to provide a raw token value to the legacy systems, and from testing so far, this seems like it could be a viable approach?
@TerenceShopify to clarify - these would be private custom apps built for a single client, not distributed anywhere. If there is a concern about surfacing the token in the browser (like the old system did), it could be obtained directly from the database by a developer and set up as an environment variable in the legacy integration - not ideal, but it seems this is perhaps the best we can hope for at this point.
The legacy systems that our client has are vital to their operations, but cannot currently be modified within a reasonable timeframe - for the immediate future, they need to continue operating in exactly the same way as they were previously, with the old custom app Shopify admin token system.
Unless I’m missing something, the client credentials grant does not appear to be suitable for legacy integration automations, as they would need to be manually regenerated every 24 hours. Please do provide more details if this is not the case.
The main issue here is that Shopify has deprecated a critical system without providing clear guidance on a viable alternative approach. The new approaches are sensible for new apps, but unfortunately have excluded a significant stakeholder group entirely. It’s unfortunate this scale of change to existing systems didn’t have the same type of rollout as the deprecation to checkout.liquid and scripts, where merchants were given a reasonable timeframe with clear notice about the change and its potential impacts to their business.
While I’m not a huge fan of the changes, I’m able to automatically generate an access token every 24 hours without user interaction. Our integration just requires that the user enters the app’s Client ID and Client Secret into settings, and updates them if those ever change.