Write order scope without read

Hi,

We partner with a supplier to place orders on demand where some products on my store are “available to order”. I’ve developed a private app to connect to the partner store - also hosted on Shopify - retrieve the variant by looking up the SKU we have in common, and placing the order automatically on their store via the orders api.

It all works fine, but there are privacy concerns because it is not possible to grant the write_orders scope without also granting read_orders, which in turn gives me (in theory) access to all customer orders placed on the store.

I’m toying with trying to set up a new marketplace just for these orders and restricting the scope that way, or to host a proxy app that removes the ability to read orders. But none are ideal as it’s not MY store’s data that needs protecting, it’s my supplier’s.

Any thoughts as to how we might achieve this?

Thanks,
Paul.

Off the top of my head you could sign a contract with the supplier stating you both agree that you will not read any orders and only write them as necessary…

I mean it’s a simple solution so that you do not have to write any extra code…

1 Like