We make a software that integrates into an ERP system. Our software works with all the big name shopping carts and marketplaces out there. We have many customers using it. It is not a browser-based system. It sits on a server on the same network as the customer’s ERP system. The process used to be: “Here just follow this document. Click on a few things in your Shopify store and give us the access token. Copy/paste into the settings in our software…” . Super simple.
So now, they just do the same thing with client ID / client Secret, right? Wrong!!! Using the new method of making an app in your own store and using client ID/ client Secret, you cannot get access to orders. When you try to add orders to your access scope using Shopify’s UI in your store, the big access scope box turns red. It does not explain why its red. It just turns red, does not offer any explanation why, and does not let you save.
So apparently, in order to gain access to orders (why would any company need access to their own orders? What could they possibly ever need that data for???), one must create an “app” in the Shopify Partners website. Then one must “install” the app on their Shopify store.
Then here is the broken part: The client ID / client Secret you get from the Shopify partner website cannot be used to generate your access token programmatically the same way you can with ClientID/secret you generate inside your own store. If you try, you get this big error (in html, not json of course):
System.Exception: 'Shopify authorization token request failed: BadRequest –
Oauth error shop_not_permitted: Client credentials cannot be performed on this shop.
So what is the exact process that any given company should use if they want API access to their own orders?
Hey @MegaOtis, the scope issue and the shop_not_permitted error are actually two separate problems.
For the scope turning red in the Dev Dashboard, make sure you’re selecting read_orders (or write_orders) and not read_own_orders.
The read_own_orders scope is specific to sales channel apps and only grants access to orders that were created by that app, not all orders on the store.
For an ERP integration where you need to pull all of a merchant’s orders, read_orders is the correct scope.
For the shop_not_permitted error, the client credentials grant only works when the app and the store belong to the same Shopify organization.
If the merchant created the app in the Dev Dashboard and their store is also in that same org, you can use client credentials to programmatically request an access token (valid for 24 hours, then you request a new one the same way). The flow is quite simple: Using the client credentials grant .
Since you mentioned your software works with many customers, you may also want to look into distributing your app publicly. That way each merchant installs the app via OAuth and you won’t need to walk each one through the Dev Dashboard setup manually.
Hello Kyle,
Yes, I confirm that I was able to get this to work by selecting the read_orders scope as opposed to the read_all_orders scope. I suggest the following:
-
In the Shopify UI when the scope textbox turns red, display an error message indicating what the error is. There is no downside to this. For the trivial amount of Dev hours spent, you will recoup this in saved support hours. In this case the error could be something like this:
“error: your account is not permitted to select the read_all_orders scope because [insert complex reason here]”
-
The read_all_orders scope appears at the absolute top of the scopes list. This is why I chose it. Surely lots of other devs do this exact same thing. I recommend you place this scope in the list with the other scopes. You could also put some kind of warning there like (restricted). Since the textbox turned red, and I could not save, I didn’t bother looking for additional scopes. On the read_orders scope, you could put (60 days only).
Thanks,
Scott
Hey Scott, glad it’s working now.
Also, thanks for that feedback. Those are great suggestions and I’ll be sure to pass it on. 