We have a public app on the Shopify App Store, and we want to identify which of our installed stores have a real B2B use case — stores that have created companies and are actively using Shopify’s B2B features. Webhooks let us detect this in real time instead of polling the Admin API across all stores. We can query company data via the GraphQL Admin API without issues if we have the read_companies access scope but subscribing to webhook for the companies/create and companies/update fails with below error -
This app is not approved to subscribe to webhook topics containing protected customer data.
The same data is accessible via the Admin API without Protected Customer Data approval but blocked behind it for webhooks. If this data is protected, shouldn’t the API also require approval? If it’s not, why do webhooks need it?
Also along the same lines, what is the recommended way to identify which stores have a real use case for B2B, or are actively using B2B features using the Shopify Admin API, that enables our app to support B2B storefront properly.
And that’s okay for us, since we don’t need any customer data anyway. But we need the companies/create and companies/update webhooks, which don’t include any customer data either as given in their sample payload -
{
"name": "Example Company",
"note": "This is an example company",
"external_id": "123456789",
"main_contact_admin_graphql_api_id": "gid://shopify/CompanyContact/408372092144951652",
"created_at": "2021-12-31T19:00:00-05:00",
"updated_at": "2021-12-31T19:00:00-05:00",
"customer_since": "2021-12-31T19:00:00-05:00",
"admin_graphql_api_id": "gid://shopify/Company/408372092144951419"
}
We are able to access these exact same fields through the GraphQL Admin API without having protected customer data access for our app, so my original question still remains, the same data is accessible through GraphQL Admin API but restricted through webhooks, why?