Orders/Create webhook customer data is redacted even after Protected Customer Data approval

Hi everyone,

I’m building a public Shopify app that receives order data through the orders/create webhook.

The issue is that all customer fields are still redacted/null, including:

• phone number

• shipping address

• billing address

Example fields returning null/redacted:

• order.customer.phone

• order.shipping_address.phone

• order.billing_address.phone

• address fields

THE PROBLEM:

• my app has been approved for Protected Customer Data access

• the app is approved to go live

• I already reinstalled the app after approval

• I have read_orders and read_customers scopes

• webhook authentication works correctly

• orders are received successfully

Current scopes:

[access_scopes]
scopes = "write_products,write_orders,read_orders,read_customers"

Webhook subscription:

[[webhooks.subscriptions]]
topics = [ "orders/create" ]
uri = "/webhooks"

I also tried:

• uninstalling/reinstalling the app

• redeploying app config

• testing on dev stores

• logging the raw webhook payload it doesnt show the customer fields

would really appreciate any guidance.

Hi,

This is how Shopify has designed the system, it is not an error. Webhooks are not really considered to be data export channels. Having protected customer data approval doesn’t change that. Your scopes are correct, but Shopify expects that you will use webhooks to tell your app that an order was created and give basic, non-sensitive fields. You should be calling Admin API (GraphQL or REST) to fetch the full order, including the sensitive data.
Your orders/create webhook should provide the Admin GraphQL ID, or at least the numeric ID that you can convert to a GID. With that ID, the Admin GraphQL API will be able to get the information that you want. Are you okay with using Admin API calls or would you like an example query?

Turns out i had level 1 POC not level 2 thats what caused the problem, my mistake.