Insights security

How to audit the permissions your Shopify apps have

When you install a Shopify app, you grant it OAuth scopes. These are specific permissions like “read products” or “write orders” that let the app do its job. Most merchants click “Install” without reading the scopes, then never revisit them.

This piece is the practical workflow for auditing what permissions each of your installed apps actually holds, what those scopes can do, and how to revoke access without breaking apps that legitimately need it.

Why this audit matters

Three reasons.

Risk surface area. Every app with write_orders can modify orders. If that app is compromised, an attacker can modify your orders. Most stores don’t need that scope granted to anything but their order management system.

Data exposure. Apps with read_customers can read your customer database. If a marketing app developer suffers a data breach, your customer list is in that breach. The fewer apps that hold sensitive customer scopes, the smaller your exposure.

Compliance. GDPR, CCPA, and Australia’s Privacy Act all require you to know what third parties hold your customer data. If you can’t list which Shopify apps have access to customer records, you can’t honestly comply.

How to view current app permissions

Shopify makes this surprisingly hard to do at scale. There’s no single dashboard that lists all apps with all scopes. The cleanest path is the admin Apps page, which shows installed apps but not their specific scopes.

To see actual scopes:

  1. In Shopify admin, navigate to Settings, then Apps and sales channels.
  2. Click an installed app.
  3. The app’s detail page shows the high-level permissions (“can manage your products”, etc).
  4. For the full scope list, look in the app’s privacy policy or contact the app developer.

This is genuinely friction, which is part of why most merchants don’t do it.

A faster approach is to query Shopify’s Admin API directly. The InstalledApps query returns the access scopes for each installed app. If you’re technical or have a Shopify developer working with you, this is a 10-minute task.

The high-risk scopes to watch for

Not every scope is equally sensitive. These are the ones that matter most for audit purposes.

ScopeWhat it allowsShould rarely be granted to
write_ordersModify order details, including totals and customer infoMarketing apps, analytics apps, anything not in your fulfillment stack
read_customersRead full customer database including PIIApps that don’t need to personalize email/marketing
write_customersModify customer recordsAnything except your CRM and email tools
write_productsCreate, edit, delete productsApps that don’t manage your catalog
read_ordersRead full order historyMost marketing apps don’t need this
write_themesModify your live theme codeApps that don’t manage theme content
write_script_tagsInject scripts on every storefront pageNow mostly obsolete; should be Web Pixels instead

If you see write_orders granted to a marketing app or write_themes granted to an analytics app, that’s a flag worth investigating.

What to do when you find excessive permissions

Three options, in order of preference.

1. Uninstall. If the app does something the store can live without, uninstall. The fastest fix is always removal.

2. Contact the developer. Some apps request broad scopes early in their development and never narrow them down. Email the developer and ask if a narrower scope set would work for your use case. Reputable developers will engage; less reputable ones will go silent.

3. Sandbox via a custom Shopify environment. For apps you need but don’t fully trust, run them in a development store and verify their behavior before installing on your live store.

A simple monthly habit

Most merchants benefit from a 15-minute monthly check.

  1. Open Shopify admin, Apps page.
  2. Sort by “last opened” (some Shopify admin views support this; others require manual sort).
  3. Any app you haven’t opened in 60 days that holds sensitive scopes is a candidate for uninstallation.
  4. For active apps, check their privacy policy once a quarter to confirm their data handling hasn’t changed.

Apps that haven’t been updated by the developer in 12+ months and hold sensitive scopes are particularly high-risk. They’re unlikely to receive security patches if a vulnerability is discovered.

How Store Auditor relates to permission audits

Store Auditor is a performance audit tool, not a permission audit tool. But there’s significant overlap. The apps that load heavy scripts on your storefront are often the same apps holding broad scopes.

Our scan uses the minimum read-only scopes needed to do its job (read_themes, read_script_tags, read_products, read_analytics, read_reports). We never request write access of any kind. If an audit tool asks for write scopes, that’s a flag.

If you’re running a permission audit and you find apps you can’t justify keeping, Store Auditor will also show their performance impact, which usually makes the uninstall decision easier.

Tools and services

For larger merchants who want a more systematic approach, Defyn Digital provides Shopify security audits that include permission inventory, third-party risk assessment, and recommendations for tightening scopes across your app stack. We built Store Auditor out of our agency workflow, and the security audit work is a separate service we offer.

For solo merchants and small teams, the monthly habit above is usually enough. The point isn’t to be paranoid, it’s to know which apps hold which keys to your shop.

Run an audit

See the same analysis on your own store.

Install Store Auditor free. Get a per-app audit of your Shopify storefront in 90 seconds, no theme edits, no separate account.