Shopify

This documentation for the Shopify integration describes the technical capabilities of this integration, including authorization, scopes/permissions, and utilized endpoints. For more information on how to integrate Shopify, visit our connection instructions.

Version

This integration utilizes the Shopify REST Admin API 2024-01.

Base URL

The base URL used for all Shopify API endpoints contains the Shopname:

https://shopname.myshopify.com/admin/api/2024-01

---

Authentication & Authorization

The Cyera Shopify integration connects using OAuth 2.0 with the following credentials: Client ID and Client Secret.

Sensitive Credentials

Publicly exposing your API credentials can allow unauthorized access to Shopify API endpoints by a third party. Cyera stores your API credentials encrypted and protected.

Scopes

The Shopify integration requires specific scopes that must be granted in order to function for a given capability.

Scope	Base	Access	Deletion
read_all_orders		✅
read_assigned_fulfillment_orders		✅
read_checkouts		✅
read_content		✅
read_customers	✅	✅
read_orders		✅
write_customer_data_erasure			✅
write_customers			✅
write_orders			✅

Base Scopes

All base scopes must be granted in order to connect the integration with Cyera. The remaining scopes are only required if enabling those capabilities

Endpoints Utilized

Cyera uses the following endpoints to authorize and test the connection:

Method	Endpoint	Purpose	Docs
GET	/customers/count.json	Validate credentials
POST	https://shopname.myshopify.com/admin/oauth/access_token	Get and refresh access token
GET	https://shopname.myshopify.com/admin/oauth/authorize	Request authorization

---

Limits

Limits in Shopify are calculated using the leaky bucket algorithm. All requests that are made after rate limits have been exceeded are throttled and an HTTP 429 Too Many Requests error is returned. Requests succeed again after enough requests have emptied out of the bucket.

• Cyera supports requests throttling to stay within 70-80% of specified service rate limits.
• Cyera processes API responses with HTTP 429 status to interrupt requests, waiting and retrying (using an exponential backoff strategy).

---

Capabilities

Access

Cyera's Shopify integration provides Synchronous Access capabilities for the following supported identifier category: Email.

Data Interactions

For Access requests, Cyera will take the following actions:

1. Search for Customers by the Data Subject email.
2. If a match is found, Cyera will extract all objects related to the customer, including the following:

Match Found

• Orders
• Refunds
• Transactions
• Order Risks
• Fulfillments
• Fulfillment Events
• Fulfillment Orders
• Blog Comments

Endpoints Utilized

Method	Endpoint	Purpose	Docs
GET	/blogs.json	Retrieve a list of blogs
GET	/checkouts.json	Retrieve a list of checkouts
GET	/checkouts/checkout_id/payments.json	Retrieves a single payment
GET	/comments.json	Retrieves a list of comments
GET	/customers/search.json	Search for Customers
GET	/orders.json	Retrieve a list of orders
GET	/orders/order_id/fulfillment_orders.json	Retrieves a list of fulfillment orders for a specific order
GET	/orders/order_id/fulfillments.json	Retrieves fulfillments associated with an order
GET	/orders/order_id/fulfillments/{fulfillment_id}/events.json	Retrieves a list of fulfillment events for a specific fulfillment
GET	/orders/order_id/risks.json	Retrieves a list of all order risks for an order
GET	/orders/order_id/transactions.json	Retrieves a list of transactions

---

Deletion

Cyera's Shopify integration provides Asynchronous (Whole Record) Deletion capabilities for the following supported identifier category: Email.

Data Interactions

For Deletion requests, Cyera will take the following actions:

Attempt to delete customer profiles:

1. Search for Customers by the Data Subject email address.
2. If a match is found, Cyera will fetch all Orders associated with the customer.
3. Update all retrieved orders:
   • Cyera updates orders to make them anonymized, unrelated to the customer.
   • Your orders will remain in Shopify without affecting your reporting and available to be used accordingly for tax, audit or any other legal requirement purposes related to your company and/or industry.
4. Delete the customer profile.

Shopify Customer Profile Deletion Restrictions

Shopify will not allow Customer Profiles to be deleted, if any of the following conditions are met, in case a chargeback occurs:

• The customer has an order history.
• The customer has pending redaction because of a GDPR erasure request.
• The customer has an active subscription now, or if the customer ever had a subscription in the past.
• The customer is the recipient of a scheduled gift card that hasn't been delivered yet.

If customer profile deletion fails, initiate a GDPR Erasure Request:

1. Check that Cyera has the write_customer_data_erasure scope. If this scope is not granted, deletion will be marked as failed.
2. Enqueue a request to erase customer data.

Shopify Deletion Behavior Options

Review the Shopify Connection Guide for additional configuration options for processing GDPR Erasure Requests.

Endpoints Utilized

Method	Endpoint	Purpose	Docs
GET	/customers/customer_id.json	Retrieves a single customer
DEL	/customers/customer_id.json	Deletes a customer
GET	/customers/search.json	Search for Customers
POST	/graphql.json	Submit an Erasure Request
GET	/orders.json	Retrieve a list of orders
PUT	/orders/order_id/.json	Update an order
GET	https://shopname.myshopify.com/admin/oauth/access_scopes.json	Access scopes granted to the app on this store

---