I am trying to retrieve basic aggregated traffic analytics for merchants who have installed my public app (e.g., sessions breakdown by device, traffic by country). I do not need PII (names, emails, specific addresses).
The Query: I am running a standard query against the sessions dataset (via shopifyqlQuery). No customer fields are requested:
GraphQL
query TrafficByDevice {
shopifyqlQuery(
query: "FROM sessions SHOW sessions, device_type GROUP BY device_type SINCE last_30_days"
) {
tableData {
columns { name }
rows
}
}
}
The Issue: Despite requesting zero PII, the API returns a blocking error stating that Level 2 access is required:
“Access denied for shopifyqlQuery field. Required access: read_reports access scope. Also: Level 2 access to Customer data including name, address, phone, and email fields.”
My Question: Is there another way I can get this aggregated Shopify Analytics traffic data without Level 2 access? Or has anyone successfully used shopifyqlQuery to get traffic/session data with only Level 1 access?
Level 2 customer data access is required for all shopifyqlQuery calls, even when your query doesn’t touch PII. Another developer ran into this:
Short answer: shopifyqlQuery grants access to all Analytics data. Granular scopes don’t apply to different data types. Since customer data can be accessed through some ShopifyQL queries, Level 2 is required for all of them.
Thanks a lot! So I just got the “Protected customer data access” My account says I should now have access to “Protected customer data” which “Includes data about customers or visitors to stores that’s available through the Customers, Orders, Online store and other Admin API resources, Customer Account API resources, or checkout UI extensions.” For “Protected customer fields (optional)” I have access to “First name and last name fields.”
However, I’m still getting the same error: “Error: GraphQL errors: [{“message”:“Access denied for shopifyqlQuery field. Required access: `read_reports` access scope. Also: Level 2 access to Customer data including name, address, phone, and email fields. Please refer to protected customer data [requirements](Work with protected customer data).”,“locations”:[{“line”:3,“column”:7}],“extensions”:{“code”:“ACCESS_DENIED”,“documentation”:“https://shopify.dev/api/usage/access-scopes",“requiredAccess”:"\`read_reports\` access scope. Also: Level 2 access to Customer data including name, address, phone, and email fields. Please refer to protected customer data [requirements](Work with protected customer data).”},“path”:[“shopifyqlQuery”]}]”
Based on your timeline, the full protected customer data access is likely in place now. Since you’re still seeing the error, next thing I would check is your direct_api_mode setting.
When direct_api_mode is omitted from shopify.app.toml, it defaults to "online". Online access tokens respect the logged-in user’s staff permissions. So even with protected customer data access granted, requests could fail if the current staff doesn’t have access or a valid session token.