Public Non-Financial Apps Need read_users Scope

bakikucukcakiroglu · March 5, 2025, 9:13am

Hello Shopify Devs,

read_users access scope is locked very carefully. Shopify may have its internal company plans aiming something specific but I don’t think their plan is to block the developer of a live chat app from listing staff members in the dashboard so that each live ticket can be assigned to a staff member by the owner account. There are also other use cases of other developers that are not that deep.

Why is this scope so locked down? Also any workaround that will allow me the list of staff members with their name and email is appreciated.

Best,

Stefan_Buciu · October 6, 2025, 7:31pm

I am also facing this. Why is this limitation in place?

KyleG-Shopify · October 6, 2025, 8:52pm

Hey @Stefan_Buciu and @bakikucukcakiroglu, the primary reason here would be to help protect a stores sensitive staff data.

The scopes are available for custom apps for stores on the plus and advanced plan for non-financial apps.

An alternative though would be to find a way to associate a user without needing their specific staff details.

It might be worth testing using online access tokens. This way you can associated the current logged in user with their logged in session. In the case of a chat app, you could then use app metafields to associate the logged in user with their user profile in your app to see their assigned tickets, etc.

bakikucukcakiroglu · October 6, 2025, 10:06pm

It’s been 7 months. I already figured it out. Thanks for replying too quick

Stefan_Buciu · October 7, 2025, 10:20am

Hi @KyleG-Shopify, I understand the security reason, however:

when you install the app, you have to approve all scopes
we have a custom app, and we are in touch with the Store Owner, this kind of detail can be solved when talking with them

At least for Custom App, I believe this should be allowed. And in addition, maybe we do not even need the entire staffMember object. Maybe a different object with less properties, that would give us something to work with besides the StaffID would be great

KyleG-Shopify · October 7, 2025, 4:46pm

My applogies for missing that initially, @bakikucukcakiroglu. The post from Stefan bumped it back to the top. Would you be willing to share for the community any workarounds you found?

For custom apps, if your client isn’t on the advanced or plus plan, I would recommend using metafields to store the data you need.

This is a great call out though, and I’ll share this feedback with our teams.

Topic		Replies	Views
Issue getting pos staff accounts GraphQL Admin API Troubleshooting general-gql-troubles	3	54	January 13, 2025
Access scope to access StaffMember Id with public apps GraphQL Admin API Troubleshooting general-gql-troubles	4	93	March 12, 2025
Trouble Accessing StaffMember via Admin API – read_users Scope Error Authentication & Access access-scopes	1	105	June 17, 2025
Why is read_users so locked down? Authentication & Access access-scopes	1	147	October 27, 2024
Access to StaffMemberPrivateData GraphQL Admin API Troubleshooting rest-migration , general-gql-troubles	8	161	March 6, 2025

Public Non-Financial Apps Need read_users Scope

Related topics