API Transparency

How Pdztools Uses the Shopify API

A clear explanation of every Shopify API endpoint we call, why we call it, and how your data is handled.

Back to Home

Pdztools integrates with the Shopify Admin REST API and Shopify Admin GraphQL API on behalf of store owners who grant OAuth 2.0 access to their Shopify stores. The integration covers four core workflows below. No Shopify data is sold, shared, or used outside the store owner's own workspace.

1 Order Sync — Pull Shopify Orders into Dashboard READ

Store owners connect their Shopify store via OAuth. Once connected, Pdztools calls the Orders API to import paid, unfulfilled orders into the seller's private dashboard — no manual CSV downloads needed.

GET /admin/api/{version}/orders.json?financial_status=paid&fulfillment_status=unfulfilled&status=open GET /admin/api/{version}/orders/count.json
  • Fetches buyer shipping address, line items, SKU, quantity, sale price, and any custom properties (personalization notes)
  • Also fetches variant images and product type for each line item to display mockup thumbnails alongside orders
  • Uses Shopify's cursor-based pagination (Link header) to reliably sync stores with thousands of orders
  • Orders are stored inside the seller's isolated workspace — never visible to other accounts
[Screenshot: Orders dashboard — Shopify orders synced with mockup images]
2 Tracking Update — Push Tracking Numbers Back to Shopify READ + WRITE

After a fulfillment partner ships an item and returns a tracking number, Pdztools automatically creates a fulfillment on Shopify or updates the tracking on an existing one — triggering Shopify's built-in shipping notification email to the buyer.

GET /admin/api/{version}/orders/{order_id}/fulfillment_orders.json POST /admin/api/{version}/fulfillments.json POST /admin/api/{version}/fulfillments/{fulfillment_id}/update_tracking.json
  • First reads the fulfillment order ID from Shopify, then creates or updates the fulfillment with the tracking number, carrier, and tracking URL
  • Supports all major carriers (USPS, UPS, FedEx, DHL, 4PX, YunExpress, etc.) — Shopify recognizes these and auto-generates tracking URLs for buyers
  • For unknown carriers, Pdztools provides a fallback tracking URL (17track) so buyers can still track their package
  • Sends customer shipping notification via Shopify — no separate email needed from the seller
  • Only the tracking carrier, number, and URL are written — no other order fields are modified
[Screenshot: Order detail — fulfillment created with tracking on Shopify]
3 Listing Management — Bulk Create & Read Products READ + WRITE

Read: Pdztools reads store products and their variants to power SKU matching, mockup display, and fulfillment routing when an order arrives.

GET /admin/api/{version}/products.json?ids={id1,id2,...}&fields=id,images,options,product_type,handle GET /admin/api/{version}/products/{product_id}/variants.json

Write: Sellers can bulk create listings by uploading a CSV file in Pdztools. The system maps each row to a pre-configured template (title, description, variants, price, images) and creates the product on Shopify.

POST /admin/api/{version}/products.json
  • Each product is created as active (live on the storefront) with all variants, images, tags, and product type from the template
  • Supports multi-variation products (e.g., Size × Color) with per-variant pricing and inventory quantities
  • Sets Google Shopping metafields (product category, gender, age group, condition) for Google Merchant Center integration
  • Shopify category (Standard Product Type) is assigned via GraphQL Admin API after product creation
  • Pdztools does not delete or unpublish existing listings without explicit seller action
[Screenshot: CSV upload + template selection UI]
[Screenshot: Auto Listing — scheduled jobs list]
4 Publishing — Distribute Products Across All Sales Channels READ + WRITE

After creating a product, Pdztools automatically publishes it to all active sales channels in the store (Online Store, Google, Facebook, etc.) using the Shopify Admin GraphQL API — so sellers don't have to manually enable each channel.

POST /admin/api/{version}/graphql.json [query: publications — list all sales channel IDs] POST /admin/api/{version}/graphql.json [mutation: productPublish — publish to all channels] POST /admin/api/{version}/graphql.json [mutation: productUpdate — set Shopify Standard Category]
  • Sales channel list is cached for 24 hours per store to minimize API calls
  • Every newly created product is published to all channels in one operation — no manual steps for the seller
  • The Standard Category (Shopify Taxonomy) is set via productUpdate mutation using the category GID selected from the template
[Screenshot: Product created and published to all channels]

OAuth Scopes Requested

Pdztools requests only the minimum scopes necessary to power the four workflows above.

read_orders Read orders — required for order sync, fulfillment routing, and tracking dashboard
write_orders Create and update fulfillments — required to push tracking numbers and trigger shipping notifications to buyers
read_products Read products and variants — required for SKU matching, mockup display, and fulfillment routing
write_products Create and update products — required for bulk listing creation from CSV upload
read_inventory Read inventory levels — required to verify stock availability during order processing
write_inventory Update inventory — required to set inventory quantities when creating product variants
read_publications Read sales channels list — required to know which channels to publish new products to
write_publications Publish to sales channels — required to distribute newly created products across all active channels (Online Store, Google, Facebook, etc.)

Shopify Connection Flow

How a store owner authenticates and connects their Shopify store to Pdztools via OAuth 2.0.

1
Store owner clicks "Connect Shopify Store"

Inside Pdztools, the seller navigates to the Shopify Stores page and clicks the Connect button, entering their .myshopify.com domain. Pdztools generates the OAuth authorization URL and redirects the seller to Shopify's permission screen.

[Screenshot: Shopify Stores page — Connect button]
2
Shopify displays the permission grant screen

The seller is redirected to their Shopify admin where they see exactly which permissions Pdztools is requesting. The seller must click Install app to proceed — no access is granted without this confirmation. Pdztools verifies the HMAC signature in the callback to prevent forgery.

[Screenshot: Shopify OAuth permission screen]
3
Shopify redirects back with an auth code

After the seller installs the app, Shopify redirects to the Pdztools callback URL with a one-time authorization code. Pdztools exchanges this code for a permanent access token — Shopify's custom app model does not use refresh tokens.

POST https://{shop}/admin/oauth/access_token
Store is connected and ready

Pdztools calls shop.json to fetch store details (name, domain, currency, plan) and links the store to the seller's account. The store is shown on the Shopify Stores page with today's order count and revenue. All subsequent API calls use the stored token — the seller does not need to re-authenticate unless they uninstall the app.

[Screenshot: Shopify Stores page — store connected successfully]
Token storage: Shopify access tokens are stored encrypted in the database, scoped per store. Unlike Etsy and eBay, Shopify's custom app tokens are permanent and do not expire — no refresh cycle is needed. If a seller uninstalls the app from Shopify, the token is revoked immediately and all API calls for that store stop. Sellers can reconnect at any time by going through the OAuth flow again.
API rate limit compliance: Pdztools respects Shopify's leaky-bucket rate limit (40 requests/second burst). When a 429 Too Many Requests response is received, the system automatically retries the request after a 1-second delay. Order sync uses Shopify's cursor-based pagination (Link header) for large data sets. Tracking pushes are spaced 500ms apart per order. Listing creation calls are processed sequentially — no parallel bursts.
Data retention & revocation: All Shopify data is stored securely and access-scoped per store owner account. Data is retained only while the seller's account is active. Sellers can revoke access at any time from Shopify Admin → Apps → Installed Apps → Pdztools → Delete, which immediately terminates all API calls for that store. Upon account deletion, all associated Shopify data is permanently removed within 30 days. See our Privacy Policy for full details.