We are currently getting a error log saying ACCESS DENIED on our backupRegion query. Merchants have accepted all the proper access scopes but we are seeing this error still. Any ideas on why we would be seeing this error even thought access scopes are accepted?
Context
- Admin GraphQL call from an Admin Action
- API version: 2025-10
Query
query GetBackupRegion {
backupRegion {
id
name
... on MarketRegionCountry {
code
currency { currencyCode manualRate }
}
}
}
Error
GraphQL errors: [{
"message":"Access denied for backupRegion field. Required access: `read_markets` for queries and both `read_markets` as well as `write_markets` for mutations.",
"path":["backupRegion"],
"extensions":{"code":"ACCESS_DENIED"}
}]
What we’ve checked
- App requests
read_markets and write_markets; merchant accepted scopes.
- Running Admin API.
- Fails only on
backupRegion.
Any guidance would be greatly appreciated. Thanks!
@Liam-Shopify @David_Salgado this is impacting our app pretty severely - but oddly only on a handful of stores
Can you give us any insight?
We ran additional tests and found that removing certain staff permissions from the user performing the Admin Action reproduces the exact error our merchants are seeing. This makes us think the Admin Action is constrained by staff permissions in addition to the app’s scopes.
@Liam-Shopify Is this expected behavior for app-created Admin Actions? i.e., if a staff member lacks a required permission, the action fails even when the app has the necessary scopes or is this a bug?
hey, thanks for the ping, if the merchants have the scopes then nothing comes to mind, do you have a trace that I can use to check on my end? feel free to send over email to david.salgado at shopify.com
Thank you David! I just sent you an email.
will dig, one thing came to mind… even if the scope is granted, maybe the current installation of the app has not taken it, do you have a chance of reinstalling in one of the merchants to see if it solves? if that solves, I might be able to do something else on my side
Thanks for jumping in!
I have verified the access scopes via direct api call - we definitely have them on the problem stores.
They have also tested internally and found the store owner account has no issues, but staff accounts do. We have not so far been able to figure out if a specific staff permission is the culprit - but one store insists they have the full owner permissions on the staff account that doesn’t work (but the owner’s account does)
let’s wrap this one!
Once we knew the api client ID we were able to identify a few successful and failed requests. We saw a difference in the user access for the requests, that could be solved two ways:
- using shop tokens instead of per-user tokens
- granting the right permission to the per-user tokens (they were missing ‘Domain’ to be able to run the operation)
the team realized that the per-user tokens were not intended, and last time we talked over email it seems that swiching that solved the issue.
Crossing fingers that the solution still holds!
all the best
DavidS