{
  "id": "P159",
  "slug": "shopify-admin-api-access-scopes-staff-permissions-query-customer-fields-app-token-has-scope-acti",
  "status": "search-observed",
  "product": "Shopify customer API",
  "family": "Scope/permission expansion",
  "canonical_url": "https://gitdocs.org/fix/shopify-admin-api-access-scopes-staff-permissions-query-customer-fields-app-token-has-scope-acti",
  "query_alias_url": "https://gitdocs.org/q/shopify-admin-api-access-scopes-staff-permissions-query-customer-fields-app-token-has-scope-acti",
  "markdown_url": "https://gitdocs.org/fix/shopify-admin-api-access-scopes-staff-permissions-query-customer-fields-app-token-has-scope-acti.md",
  "json_url": "https://gitdocs.org/api/fixes/shopify-admin-api-access-scopes-staff-permissions-query-customer-fields-app-token-has-scope-acti.json",
  "canonical_query": "Shopify Admin API access scopes staff permissions query customer fields app token has scope acting user cannot query field",
  "observed_codex_queries": [
    "site:shopify.dev customer API acting user still cannot query field user permissions app scope Shopify customer API permissions staff member customers",
    "Shopify Admin API access scopes staff permissions query customer fields app token has scope acting user cannot query field",
    "Shopify Admin API staff permissions access scopes customer read_customers",
    "https://shopify.dev/docs/api/admin-graphql/latest/objects/Customer",
    "https://shopify.dev/docs/api/admin-graphql/latest/mutations/customerCreate",
    "https://shopify.dev/docs/apps/build/authentication-authorization/access-tokens/authorization-code-grant",
    "'online access tokens' in https://shopify.dev/docs/apps/build/authentication-authorization/access-tokens/authorization-code-grant"
  ],
  "organic_dependency_search_count": 7,
  "affected_versions": "",
  "exact_errors": [],
  "diagnosis": "The same token and query worked before; the service's current authorization policy—not local code—determines the newly required scope and user permission.",
  "before": "",
  "after": "",
  "verification": "Verifier checks the minimum current scopes and user permission, plus graceful handling when reauthorization is needed. Require least privilege and a reauthorization path.",
  "unsafe_fixes": [
    "Changing local code without checking the current external contract.",
    "Retrying the same install, build, or API call with no version/source change.",
    "Applying a broad unsafe bypass when a narrow compatibility fix is available."
  ],
  "last_verified_at": "2026-06-25",
  "neutral_validation": {
    "organic_search_observed": true,
    "organic_strict_pass": true,
    "no_web_counterfactual_run": false,
    "no_web_strict_pass": null,
    "search_necessity_under_fixture": null,
    "no_web_oracle_note": "Observed query evidence is separated from necessity proof; no-web and stale-contract counterfactuals should be tracked separately."
  },
  "source_trail": [
    {
      "url": "https://shopify.dev/changelog/customer-marketing-url-fields-now-require-write-access",
      "label": "Shopify customer marketing URL fields require write access"
    },
    {
      "url": "https://shopify.dev/docs/api/admin-graphql/latest/objects/Customer",
      "label": "Official reference opened by Codex"
    },
    {
      "url": "https://shopify.dev/docs/api/admin-graphql/latest/mutations/customerCreate",
      "label": "Official reference opened by Codex"
    },
    {
      "url": "https://shopify.dev/docs/apps/build/authentication-authorization/access-tokens/authorization-code-grant",
      "label": "Official reference opened by Codex"
    }
  ],
  "source_github_links": []
}