Webhook creation failed with error 403, even though i have scopes added for orders

Hi, I am trying to develop a custom app, which can be published in shopify store
Currently i am using it in development store, whenever i try to create webhook for order/create i am getting 403 exception, i used read_orders, write_orders scope, even then, the 403 error is coming.

i am using 2.25 node shopify api

any special scope is needed for creation of webhook


{
  "name": "HTTPError",
  "hostname": "yalabs-store.myshopify.com",
  "method": "POST",
  "path": "/admin/api/2024-04/webhooks.json",
  "protocol": "https:",
  "statusCode": 403,
  "statusMessage": "Forbidden",
  "headers": {
    "date": "Mon, 05 May 2025 03:20:53 GMT",
    "content-type": "application/json; charset=utf-8",
    "transfer-encoding": "chunked",
    "connection": "keep-alive",
    "x-sorting-hat-podid": "193",
    "x-sorting-hat-shopid": "66483421378",
    "vary": "Accept-Encoding",
    "referrer-policy": "origin-when-cross-origin",
    "x-frame-options": "DENY",
    "x-shopid": "66483421378",
    "x-shardid": "193",
    "x-stats-userid": "",
    "x-stats-apiclientid": "248072765441",
    "x-stats-apipermissionid": "494075576514",
    "x-shopify-api-version": "2024-04",
    "x-shopify-shop-api-call-limit": "1/40",
    "strict-transport-security": "max-age=7889238",
    "x-request-id": "b4abf47d-2db3-4198-84b9-c9800aa8efab-1746415253",
    "server-timing": "processing;dur=36, cfRequestDuration;dur=331.000090",
    "content-security-policy": "default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src https://cdn.shopify.com https://cdn.shopifycdn.net https://checkout.pci.shopifyinc.com https://checkout.pci.shopifyinc.com/build/75a428d/card_fields.js https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://js.braintreegateway.com https://c.paypal.com https://maps.googleapis.com https://www.google-analytics.com https://v.shopify.com 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=create&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fwebhooks&source%5Bsection%5D=admin_api&source%5Buuid%5D=b4abf47d-2db3-4198-84b9-c9800aa8efab-1746415253; report-to shopify-csp",
    "x-content-type-options": "nosniff",
    "x-download-options": "noopen",
    "x-permitted-cross-domain-policies": "none",
    "x-xss-protection": "1; mode=block",
    "reporting-endpoints": "shopify-csp=\"/csp-report?source%5Baction%5D=create&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fwebhooks&source%5Bsection%5D=admin_api&source%5Buuid%5D=b4abf47d-2db3-4198-84b9-c9800aa8efab-1746415253\"",
    "x-dc": "gcp-us-central1,gcp-us-central1,gcp-us-central1",
    "content-encoding": "gzip",
    "alt-svc": "h3=\":443\"; ma=86400",
    "cf-cache-status": "DYNAMIC",
    "report-to": "{\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=uOuWBO1P3Wtudw31mQs21%2FN6YULHOXvZeJBpv082G2B2IW00n%2F8EFXvnIb00MCOokb34GtlAl2tmtiiKcyFTlascUj75UXD8g2McMKLjPlPdQYIIBmVN8MJx2syaeN6fNMxkFu5BO9xN4b0r\"}],\"group\":\"cf-nel\",\"max_age\":604800}",
    "nel": "{\"success_fraction\":0.01,\"report_to\":\"cf-nel\",\"max_age\":604800}",
    "shopify-edge-ip": "23.227.38.74",
    "server": "cloudflare",
    "cf-ray": "93ad1ac5dd6379e9-HYD"
  }
}
1 Like

Hi @Mathiarasan_sankaram - thanks for sharing your response output logs, it’s really appreciated!

It does look like your app has the right access scopes, but from what I was able to gather internally, your app is missing access to protected customer data.

Since, by default, webhooks will include senstive customer info, if your app doesn’t have approval to access things like customer addresses, phone numbers, etc we would expect for a 403 error to be returned.

You should be able to request access to the needed scopes in your Partner Dashboard though. We have a dev guide here that might help: Work with protected customer data

Hope this helps - let me know if I can clarify anything on my end here :slight_smile:

1 Like

This solves the issue, thanks for the help alan.

newer APIs giving clear error message in 2024-07.

1 Like