Hi everyone,
We are currently using the themeFilesCopy GraphQL mutation.
Our staging and production apps can already use this mutation successfully after Shopify approved the exemption request.
However, our development app still receives:
ACCESS_DENIED:
“The user needs write_themes and an exemption from Shopify to modify theme files.”
The dev app already:
But only the dev environment cannot access the mutation.
Questions:
-
Is the exemption granted per app ID rather than per organization/app family?
-
Does each dev/staging/prod app require a separate approval?
-
Or are development/custom apps intentionally restricted from using themeFilesCopy?
Has anyone experienced this behavior before?
Hey @Levi_Ha -
Just confirming: themeFilesCopy needs both the write_themes scope and the protected theme-file exemption enabled for the app making the request.
If your dev, staging, and production environments are separate Shopify apps/client IDs, the exemption would need to be applied to the specific dev app as well. I don’t think this is a general restriction on development/custom apps, but we’d need to check the approval against the actual dev app.
Could you share the dev app/client ID and, if you have it, the exemption approval reference or email thread? Also worth confirming the app was reinstalled after write_themes was added so the access token includes the latest scope. Let me know if you’d rather DM me that info and I can set one up. Hope to hear from you soon!
Hi Alan, thanks for the help.
I think this may be related to the dev app/client ID.
I confirmed:
-
write_themes scope is enabled
-
The dev app was reinstalled after adding scopes
-
We are testing on a new dev store
-
Production works, but development gets themeFilesCopy ACCESS_DENIED
The development environment uses a separate Shopify app/client ID from production.
Could you help verify whether the protected theme-file exemption is enabled for the dev app as well?
Dev app/client ID: ec2dc7771b9489e84178004b50eb8710
Exemption approval reference / ticket ID: 66728142
Thanks!
Hey @Levi_Ha - no worries, happy to help. I took a look at the client app there and it looks like you should have Theme Asset API access for it. If you’re able to - could you share the X-Request-ID we send back as part of the response headers for an example of the “Access Denied” response you’re getting back from us?
I can take a closer look at the logs to see if something else may be happening here - hope to hear back soon!
Hey @Alan_G, sorry for the delay — I was tied up the past few days. Reproduced it just now, here are the details:
-
Shop: gemcommerce-levi-local.myshopify.com
-
Endpoint: POST /admin/api/2026-01/graphql.json (themeFilesCopy mutation)
-
X-Request-ID: 2ff3750a-60c5-480a-9dab-9f2bcd67cc09-1780309052
-
HTTP status: 200 OK (error is in the GraphQL errors array)
Response payload:
{
"errors": [
{
"message": "Access denied for themeFilesCopy field. Required access: The user needs write_themes and an exemption from Shopify to modify theme files. If you think that your app is eligible for an exemption and should have access to this API, then you can submit an exception request (https://docs.google.com/forms/d/e/1FAIpQLSfZTB1vxFC5d1-GPdqYunWRGUoDcOheHQzfK2RoEFEHrknt5g/viewform).",
"locations": [{ "line": 1, "column": 79 }],
"extensions": {
"code": "ACCESS_DENIED",
"documentation": "https://shopify.dev/api/usage/access-scopes",
"requiredAccess": "The user needs write_themes and an exemption from Shopify to modify theme files."
},
"path": ["themeFilesCopy"]
}
],
"data": { "themeFilesCopy": null }
}
The response still says the app needs an exemption, even though you confirmed the dev app should have Theme Asset API access. Could it be that the exemption (ticket 66728142) was only applied to our production app and not propagated to the dev client ID ec2dc7771b9489e84178004b50eb8710?
Happy to provide anything else you need. Thanks!
Hey @Levi_Ha - thanks for sending that over.
I checked the request ID on our end and can confirm the access token used for that call includes write_themes, so this doesn’t look like a missing-scope or reinstall issue.
The request is failing on the protected theme-file exemption check for themeFilesCopy, so I’m going to follow up internally against the dev app/client ID you shared and make sure the exemption is applied in the way GraphQL theme-file mutations expect. You don’t need to send anything else for now; I’ll loop back here once I have that confirmed. Thanks again for your patience on this 
Hey @Levi_Ha - just looping back here
I checked into this further, and the distinction here looks to be between theme management access and theme asset/file write access. The write_theme_api scope/theme management approval covers actions like creating, duplicating, renaming, publishing, or deleting themes, but mutations like themeFilesCopy, themeFilesUpsert, and themeFilesDelete need the protected theme file/assets approval specifically.
So even though the token and the app is approved for write_themes, the app is still failing these GraphQL theme file mutations if that asset-level approval is not applied to the dev app/client ID. The access you’d need for the development app would be write_themes_assets- and I would reccommend reaching out in the ticket there to see if it’s possible for our team to add that access scope.
Let me know if I can help clarify anything on our end here - happy to take another look.