scopes.md

Scopes

Many of the API scopes are segmented similarly to the admin console. There are some special ones that cover more specific functionality. An access token can only use the scopes that are requested by the application when the token is being created. To change the scope, a new token must be obtained.

The user account requesting the access token must have the appropriate role-based privledges in the admin console before they can obtain a token.

People

Permissions required: Customers, CustomerTypes, UserAccounts, StoreSettings

• read_people - View customer, user, or profile data
• people - View and change customer, user, or profile data; supercedes read_customer if specified together

Applies to:

• addresses
• customers
• customer_types
• customer_payment_methods
• profiles
• users

Orders

Permissions required: Orders, OrderStatuses

• read_orders - View order data
• orders - View and change order data; supercedes read_order if specified together

Applies to:

• carts
• cart_items
• credit_cards
• orders
• order_addresses
• order_items
• order_payments
• order_shipments
• order_statuses
• quotes
• subscriptions

Catalog

Permissions required: Products, ProductStatuses, VariationGroups, ProductAttributes, Categories, Manufacturers

• read_catalog - View catalog data
• catalog - View and change catalog data; supercedes read_catalog if specified together

Applies to:

• attributes
• attribute_groups
• categories
• manufacturers
• products
• product_lists
• product_pictures
• product_statuses
• product_variants
• shipping_rate_adjustments
• variant_groups
• variant_inventory

Content

Permissions required: Blogs, BlogCategories, BlogPosts, ContentManagement, UrlRedirecting

• read_content - View blog, page, and other content-related data
• content - View and change blog, page, and other content-related data; supercedes read_content if specified together

Applies to:

• blogs
• blog_categories
• blog_posts
• links
• pages

Marketing

Permissions required: AdCodes, Affiliates, EmailEditor, MailingList, DiscountMethods, GiftCertificates

• read_marketing - View adcode, discount, and other marketing-related data
• marketing - View and change adcode, discount, and other marketing-related data; supercedes read_marketing if specified together

Applies to:

• adcodes
• affiliates
• coupon_codes
• discount_methods
• discount_rules
• drips
• email_templates
• gift_certificates
• gift_certificate_transactions
• mailing_lists

Specialized Scopes

email

Permissions required: EmailEditor

Applies to:

• POST /api/v1/email_templates/{id}/send

custom_fields

Permissions required: CustomFields

Applies to:

• custom_fields

settings

Permissions required: Shipping, Warehouses, TaxRates, GlobalRegions, PaymentGateways, UrlRedirecting

Applies to:

• custom_shipping_methods
• payment_methods
• regions
• shipping_providers
• tax_rates
• url_redirects
• warehouses

system

Permissions required: FileBrowser, Sessions, StoreSettings

Applies to:

• stores
• sessions
• POST /api/v1/upload

decrypt

Allows sensitive information to be decrypted. The authorizing user must have access to view this information. Tokens with this scope must be regenerated every 90 days if combined with no_expiry.

Applies to:

• GET /api/v1/credit_cards/{id}/decrypted
• GET /api/v1/order_payments/{id}/decrypted

no_expiry

Token does not expire and does not require a refresh_token.