Mutating Customer metafields from Customer UI Extensions

:wave:

I have some weird access errors trying to mutate Customer metafields via a Customer Account extension. No matter what, in all POST requests I’m met with "Access denied for metafieldsSet field. Required access: access defined by each metafield input "ownerId" scalar's type in a "MetafieldsSetInput" field.\nFor example, setting a metafield on a "CUSTOMER" requires the same access as mutating a "CUSTOMER".\n"

await fetch("shopify:customer-account/api/2025-01/graphql.json", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    query: `mutation setPreferences($metafields: [MetafieldsSetInput!]!) {
        metafieldsSet(metafields: $metafields) {
          userErrors {
            field
            message
          }
        }
      }`,
    variables: {
      metafields: [
        {
          namespace: "test_app",
          key: "test_metafield",
          ownerId: customerId,
          value: 'Some data',
        },
      ],
    },
  }),
});

I have no trouble fetching the metafield. It’s only mutations.

I have the following scopes set in both shopify.extension.toml and shopify.app.toml: customer_read_customers,read_customers,write_customers,customer_write_customers

Am I missing something obvious?

Hey @curzey! When you created the metafield from the Admin API, did you make sure to specify READ_WRITE customerAccount access?

Hi @Kenza_Iraki!

Actually I made a huge facepalm, because no - I forgot that setting.

However, it did actually not change anything.



@curzey it’s not documented well but our team ran into a similar issue and figured out that you can only set the Customer Account API access on app owned metafields (i.e. using the app reserved namespace). For merchant owned metafields, the access has to be set manually through the Shopify admin settings.

1 Like

@curzey Thanks for confirming! One last thing to check before I escalate this with my team, did you request access to protected customer data?

1 Like

Thanks both!

@Brett that sounds interesting, and possibly also true. Maybe @Kenza_Iraki can elaborate on this. But is that also relevant for Customer Account Extensions? I’m trying to keep it small an native to avoid external hosting etc.

@Kenza_Iraki I did not - it’s not a listed app. It’s just private custom distribution app for a client. Hell, as far as I am currently it’s just scoping and testing on a dev store / app :sweat_smile:

Maybe @Kenza_Iraki can elaborate on this. But is that also relevant for Customer Account Extensions? I’m trying to keep it small an native to avoid external hosting etc.

Yes - Brett is correct, if you’re creating the metafield from the admin, you need to set the correct access for that metafield in the Custom data settings.

Alright, two more ideas to try out from an engineer on my team:

  1. You mentioned have the access scopes in your app toml file, but did you also run shopify app deploy and accept the new scopes from the shop you’re testing on?
  2. Do you happen to be testing this on the customer accounts order status page in a pre-authenticated state?
1 Like

I’m deffo working with a normally admin-created metafield. Generally I just need to store some custom Customer specific data that they need to be able to modify themselves.

  1. I did deploy
  2. I’m not in the pre auth state

And for the winner; my ignorance - I’ve totally forgot to open the app and accept new access scopes. I’ve just checked the app dashboard and noticed the access scopes listed there.

Thanks @Kenza_Iraki :sweat_smile: :fire:


So @Brett it is actually possible to write to Customer metafields from Customer Account extensions, outside app-owned metafields :eyes:

3 Likes

@curzey glad you were able to get that figured out here and it was simple solution! Sounds like what you were experiencing here is a bit of a different situation than we ran into.

@Kenza_Iraki just to clarify here:

  • When creating a non app-owned metafield via Admin API, we cannot set the Customer Accounts API access. We’re having to detect this and display a warning in our app to instruct the merchant to manually change the access setting through the Shopify admin settings if necessary.
  • When creating an app-owned metafield via Admin API, we can include the Customer Accounts API access setting and all works correctly.
  • Either way, once the access permission is set correctly actually writing to the metafield isn’t a problem so no issue there.

It’s been a couple of months since we’ve built this feature so it is possible something has changed or been updated here, but that was our experience with this.

1 Like

That’s correct @Brett. Using app-reserved namespace metafields would be the workaround I would recommend.

Thanks @Kenza_Iraki!

So just to confirm, it is the expected behavior that the access setting cannot be set via API for non app-owned metafields?

@Brett I’m actually not sure this is still the case, the info I have on this is from early December, and from looking at the changelog, it seems like that was updated on Dec 11. Let me know if it still doesn’t work on your side and I can probe with the relevant teams.

2 Likes

@Kenza_Iraki Thanks for sharing! We were participating in the launch program for Customer Account Extensions so our features were all built out well before this.

I believe we may have missed this change with all of the other announcements and the customer account extension launch on that day, but I’ll make sure to pass this information on to our team to test and let you know if we experience any problems with it. Thanks again for flagging this.

1 Like