I have reproduced the issue on the latest CLI version.
Yes, I am on the latest version
I have searched existing posts and this report is not a duplicate.
Yes, this isn’t a duplicate
In which of these areas are you experiencing a problem?
App
Expected behavior
When shopify store auth is passed a valid Shopify scope name, the OAuth handshake should either (a) present the merchant with a consent screen listing that scope, or (b) fail with a clear message stating that the built-in shopify-cli-connector-app is not approved for that scope and documenting the recommended alternative.
Specifically, passing read_all_orders should let a merchant authorize full historical order access for a store they own and administer, since Shopify’s own docs ( Order - GraphQL Admin ) state that read_all_orders is the intended unlock for orders older than 60 days.
Per Shopify’s own [Order object docs]( Order - GraphQL Admin ):
Only the last 60 days’ worth of orders from a store are accessible from the Order object by default.
To access all the orders, you need to request access to the `read_all_orders` scope.
For BI / analytics / compliance queries against our own stores, 60 days is nowhere near enough. We had a real instance this week of an analyst trying to query Aug 2025 orders for a Facebook ad-tag investigation and assuming the store wasn’t backfilled — the true cause was this scope ceiling, which is completely invisible in the OAuth UX and in the Shopify AI Toolkit docs.
Actual behavior
shopify store auth fails immediately with a raw OAuth error and never opens a browser:
OAuth error missing_shopify_permission: read_all_orders
The merchant never sees a consent screen. There is no CLI flag, no admin-side toggle, and no documented workaround — the shopify-cli-connector-app scope list is locked server-side. Net effect: shopify store execute can never return orders older than ~60 days for any store, even one owned and administered by the person running the CLI.
Reproduction steps
-
Install Shopify CLI 3.93.2 as a local devDependency (
pnpm add -D @shopify/cli@^3.93.0) in an empty Node project. -
Run:
pnpm exec shopify store auth \ --store <any-store-you-own>.myshopify.com \ --scopes read_products,read_orders,read_all_orders,read_customers,read_inventory,read_locations,read_fulfillments -
Observe: OAuth error
missing_shopify_permission: read_all_ordersis printed; no browser opens; no token is cached. -
Removing
read_all_ordersfrom the--scopeslist makes the command succeed, confirming the other six scopes are fine and only
read_all_ordersis rejected.
Requested fix (one or more of)
- Approve read_all_orders on shopify-cli-connector-app so merchants can opt in at OAuth time. This is the cleanest fix and matches how merchants already reason about their own stores.
- Accept a merchant-supplied custom-app token via a new flag like shopify store auth --access-token --store , letting merchants bypass the connector app entirely for stores where they’ve created a custom app with read_all_orders. (GitHub issue #6415 / PR
#6626 partially addressed this for theme commands — extend to store execute.) - At minimum, document the limit loudly in the shopify store auth and shopify store execute docs, and return a specific error from shopify store execute when a query is silently truncated by the 60-day boundary.
Verbose output
OAuth error missing_shopify_permission: read_all_orders
Operating system
Ubuntu 22.04.5 LTS on WSL2 (Windows 11 host)
CLI version
3.93.2
Shell
bash
Nodejs version
v22.19.0
What language and version are you using in your application?
Node.js v22.19.0