`marketingUnsubscribeUrl` now requires `write_customers` instead of `read_customers`? (Admin GraphQL 2025-04)

We are seeing what appears to be an undocumented scope requirement change for a specific Customer GraphQL field.

Observed behavior

• Field: Customer.defaultEmailAddress.marketingUnsubscribeUrl

• API: Admin GraphQL

• Version pinned: 2025-04

• Previously accessible with: read_customers

• Currently failing unless: write_customers is granted

This began occurring without any code or configuration changes on our side and is now blocking requests that previously succeeded. Started less than a few hours ago.

Documentation mismatch
The official docs for 2025-04 still indicate that this field should be accessible under read_customers:

https://shopify.dev/docs/api/admin-graphql/2025-04/objects/customer#field-Customer.fields.defaultEmailAddress.marketingUnsubscribeUrl

We have not found:

• Any changelog entry

• Any deprecation notice

• Any forum posts indicating that this field’s required scope changed

Context / speculation
The field is described as:

“The URL to unsubscribe a member from all mailing lists.”

Conceptually, it is understandable that Shopify may consider this a write-level capability, since the URL performs a customer-affecting action. However, if this is the case, it appears to be:

• A breaking change

• Not reflected in current documentation

• Not announced via versioning or changelog

Impact
This is disruptive for existing integrations that intentionally avoid requesting write_customers due to its breadth.

Questions

1. Has the required scope for marketingUnsubscribeUrl changed from read_customers to write_customers?

2. If so, is this intentional and permanent?

3. If not, is this a known regression or transient issue?

4. Will the documentation be updated to reflect the correct requirement?

Any clarification from Shopify would be greatly appreciated, as this affects production integrations and merchant experience.

Hi @Justin_Smith

I am seeing in our docs that write_customers is required for this field:

It looks like this was a recent change on our side - and it’s possible the docs have just been updated very recently. Digging into this on my side.

Thanks for the reply @Liam-Shopify .

This seems to have been recent and retroactive - but good to know it is intended and permanent. The reason I say that is that all docs had read_customers on this field no matter the version I was looking at prior to this post. That said, I think understanding what kind of changes can occur retroactively on prior API versions would be helpful.

• Are scopes at the object level sticky? i.e., can we see a similar situation to marketingUnsubscribeUrl but at the object level - e.g., Customer?
• Is there an alternative place other than Recent changes to Shopify’s platform that these changes can be monitored? FWIW, I do not see anywhere that this field was transitioning from read_customers scope to write_customers scope.

Any additional info you could provide is appreciated! We will assume on our side, unless you say otherwise, that object level scopes (i.e., on the customer object itself) stay consistent for set API versions, but field level scopes may change as we saw here.

The scope should only be required for that field, not the entire object.

RE: keeping up to date with API changes, the changelog is the best place. We missed this one unfortunately but we’re creating a changelog update on this now.

Looks like a changelog post just went up for this

According to this, it was immediately and retroactively applied to all API versions since it was addressing a security vulnerability