Shopify immediately updated its API access requirements, mandating that apps now hold the write_customers scope to query customer marketing and unsubscribe URLs. The breaking change addresses a security vulnerability where the previously sufficient read_customers scope allowed apps to expose secret tokens capable of altering marketing consent. Developers accessing fields like CustomerEmailAddress.marketingUnsubscribeUrl must upgrade their permissions to create_and_edit_customers to avoid access denied errors.
