Check existing users for the latest Shopify OAuth permissions

Sometimes it comes to pass that your Shopify app suddenly needs to ask for new permissions to either continue functioning or to add support for new features. Maybe your app has grown and is adding new features that require another permission or two. Or maybe Shopify has changed the behavior of an existing permissions; such was the case when they changed the read_orders permission in mid-2018 to only return orders from the last 60 days, and then required apps to request a special read_all_orders permission.

Whatever the case might be, when you have existing users the answer isn't as simple as "just add the new permission to the list of permissions we ask for". If you were to do that and call it a day, any requests that you make to the Shopify API on behalf of your current users would probably fail if they haven't granted the newest permissions.

Now, there are a few strategies that you can employ to "guard" any of your new features from being used without the correct permissions. They range from things as simple as ading a flag to your user database called HasLatestPermissions, to things like adding a PermissionsVersion string which could be used to future-proof your application in case you add more permissions in the future.

The exact strategy you use to guard against making calls to endpoints you haven't been granted permissions for is ultimately at your discretion and beyond the scope of this post. However, it can sometimes be very useful to check at runtime if a user has the latest permissions.

With the relatively new "Access Scopes" API, you can get a list of all permissions granted to an access token. Once you have that list, just compare it to the latest list of permissions your app requires. If any permission is missing, deny the request and redirect the user to the OAuth installation URL. They'll be asked to accept the newest permissions and then be sent back to your app where you just finish the typical OAuth handshake process like you would for any other OAuth request.

You can do this in C# / .NET by using the ShopifySharp package and its built-in AccessScopeService:

using ShopifySharp;


List<string> ExpectedPermissions => new List<string>

public async Task<bool> HasLatestPermissions(string myShopifyDomain, string accessToken)
    var service = new AccessScopeService(myShopifyDomain, accessToken);
    var currentPermissions = await service.ListAsync();

    if (ExpectedPermissions.Any(required => !currentPermissions.Any(current => string.Equals(current.Handle, required, StringComparison.OrdinalIgnoreCase))))
        // User does not have the latest permissions
        return false;

    return true;

If you have the user go through the OAuth process to accept the latest permissions, their access token string won't change but it will be updated with the requested scopes.

Learn how to build rock solid Shopify apps with C# and ASP.NET!

Did you enjoy this article? I wrote a premium course for C# and ASP.NET developers, and it's all about building rock-solid Shopify apps from day one.

Enter your email here and I'll send you a free sample from The Shopify Development Handbook. It'll help you get started with integrating your users' Shopify stores and charging them with the Shopify billing API.

We won't send you spam. Unsubscribe at any time.