Skip to main content

The REST Admin API is a legacy API as of October 1, 2024. Starting April 1, 2025, all new public apps must be built exclusively with the GraphQL Admin API. For details and migration steps, visit our migration guide.

Order Risk

Requires orders access scope.

The Order Risk resource allows you to create, retrieve, update, and delete order risks. Order risks represent the results of fraud checks that have been completed for an order.

Usage notes

Caution

As of version 2024-04 this resource is deprecated. Risk Assessments can be queried via the Order Risk Assessment API.

  • This resource is deprecated in version 2024-04. Please refer to the GraphQL api for Order#field-order-risk
  • When determining an order's risk level, Shopify takes into account only those order risks that have the display property set to true. Orders with a display set to false will not be returned through the Order Risk resource. It's not advised to create order risks with a display set to false. This property might be removed in future API versions.
  • Risk assessments will favor the most severe risk recommendation for an order. Keep this in mind when creating new order risks.
Was this section helpful?
#

Endpoints

Anchor to

The Order Risk resource

Anchor to

Properties

cause_cancel
->
recommendation

Whether this order risk is severe enough to force the cancellation of the order. If true, then this order risk is included in the Order canceled message that's shown on the details page of the canceled order.

Note: Setting this property to true does not cancel the order. Use this property only if your app automatically cancels the order using the Order resource. If your app doesn't automatically cancel orders based on order risks, then leave this property set to false.

checkout_id
deprecated

The ID of the checkout that the order risk belongs to.

display
deprecated

Whether the order risk is displayed on the order details page in the Shopify admin. If false, then this order risk is ignored when Shopify determines your app's overall risk level for the order.

It's not advised to create order risks with a display set to false.

Note

This property can't be changed after an order risk is created.

id
deprecated

A unique numeric identifier for the order risk.

merchant_message
deprecated

The message that's displayed to the merchant to indicate the results of the fraud check. The message is displayed only if display is set totrue.

message
->
description

The message that's displayed to the merchant to indicate the results of the fraud check. The message is displayed only if display is set totrue.

order_id
->
id

The ID of the order that the order risk belongs to.

recommendation
->
recommendation

The recommended action given to the merchant. Valid values:

Show recommendation properties
  • cancel: There is a high level of risk that this order is fraudulent. The merchant should cancel the order.
  • investigate: There is a medium level of risk that this order is fraudulent. The merchant should investigate the order.
  • accept: There is a low level of risk that this order is fraudulent. The order risk found no indication of fraud.
score
string
->
riskLevel

For internal use only. A number between 0 and 1 that's assigned to the order. The closer the score is to 1, the more likely it is that the order is fraudulent.

Note

There is no guarantee of stability in risk scores. Scores are not probabilities. The relationship between scores and the probability of fraud can vary over time and between risk providers.

source
->
provider

The source of the order risk.

Was this section helpful?
{}

The Order Risk resource

{
"cause_cancel": false,
"checkout_id": 901414060,
"display": true,
"id": 284138680,
"merchant_message": "This order came from an anonymous proxy.",
"message": "This order came from an anonymous proxy.",
"order_id": 450789469,
"recommendation": "cancel",
"score": "1.0",
"source": "External"
}

Anchor to POST request, Creates an order risk for an order
post
Creates an order risk for an order

orderRiskAssessmentCreate

Creates an order risk for an order

Anchor to Parameters of Creates an order risk for an orderParameters

api_version
string
required
order_id
string
required
Was this section helpful?

Anchor to post-orders-order-id-risks-examplesExamples

Create an order risk showing a fraud risk for proxy detection

Path parameters
order_id=450789469
string
required
Was this section helpful?
post

/admin/api/unstable/orders/450789469/risks.json

curl -d '{"risk":{"message":"This order came from an anonymous proxy","recommendation":"cancel","score":"1.0","source":"External","cause_cancel":true,"display":true}}' \
-X POST "https://your-development-store.myshopify.com/admin/api/unstable/orders/450789469/risks.json" \
-H "X-Shopify-Access-Token: {access_token}" \
-H "Content-Type: application/json"

{}

Response

JSON
HTTP/1.1 201 Created
{
"risk": {
"id": 1029151490,
"order_id": 450789469,
"checkout_id": 901414060,
"source": "External",
"score": "1.0",
"recommendation": "cancel",
"display": true,
"cause_cancel": true,
"message": "This order came from an anonymous proxy",
"merchant_message": "This order came from an anonymous proxy"
}
}

Anchor to GET request, Retrieves a list of all order risks for an order
get
Retrieves a list of all order risks for an order

order

Retrieves a list of all order risks for an order. Note: This endpoint implements pagination by using links that are provided in the response header. To learn more, refer to Make paginated requests to the REST Admin API.

Anchor to Parameters of Retrieves a list of all order risks for an orderParameters

api_version
string
required
order_id
string
required
Was this section helpful?

Anchor to get-orders-order-id-risks-examplesExamples

Retrieve all order risks for an order

Path parameters
order_id=450789469
string
required
Was this section helpful?
get

/admin/api/unstable/orders/450789469/risks.json

curl -X GET "https://your-development-store.myshopify.com/admin/api/unstable/orders/450789469/risks.json" \
-H "X-Shopify-Access-Token: {access_token}"

{}

Response

JSON
HTTP/1.1 200 OK
{
"risks": [
{
"id": 284138680,
"order_id": 450789469,
"checkout_id": null,
"source": "External",
"score": "1.0",
"recommendation": "cancel",
"display": true,
"cause_cancel": true,
"message": "This order was placed from a proxy IP",
"merchant_message": "This order was placed from a proxy IP"
},
{
"id": 1029151489,
"order_id": 450789469,
"checkout_id": 901414060,
"source": "External",
"score": "1.0",
"recommendation": "cancel",
"display": true,
"cause_cancel": true,
"message": "This order came from an anonymous proxy",
"merchant_message": "This order came from an anonymous proxy"
}
]
}

Anchor to GET request, Retrieves a single order risk by its ID
get
Retrieves a single order risk by its ID
deprecated

Retrieves a single order risk by its ID

Anchor to Parameters of Retrieves a single order risk by its IDParameters

api_version
string
required
order_id
string
required
risk_id
string
required
Was this section helpful?

Anchor to get-orders-order-id-risks-risk-id-examplesExamples

Retrieve a single order risk

Was this section helpful?
get

/admin/api/unstable/orders/450789469/risks/284138680.json

curl -X GET "https://your-development-store.myshopify.com/admin/api/unstable/orders/450789469/risks/284138680.json" \
-H "X-Shopify-Access-Token: {access_token}"

{}

Response

JSON
HTTP/1.1 200 OK
{
"risk": {
"id": 284138680,
"order_id": 450789469,
"checkout_id": null,
"source": "External",
"score": "1.0",
"recommendation": "cancel",
"display": true,
"cause_cancel": true,
"message": "This order was placed from a proxy IP",
"merchant_message": "This order was placed from a proxy IP"
}
}

Anchor to PUT request, Updates an order risk
put
Updates an order risk
deprecated

Updates an order risk


Note

You cannot modify an order risk that was created by another application.

Anchor to Parameters of Updates an order riskParameters

api_version
string
required
order_id
string
required
risk_id
string
required
Was this section helpful?

Anchor to put-orders-order-id-risks-risk-id-examplesExamples

Update an existing order risk for an order

Was this section helpful?
put

/admin/api/unstable/orders/450789469/risks/284138680.json

curl -d '{"risk":{"id":284138680,"message":"After further review, this is a legitimate order","recommendation":"accept","source":"External","cause_cancel":false,"score":"0.0"}}' \
-X PUT "https://your-development-store.myshopify.com/admin/api/unstable/orders/450789469/risks/284138680.json" \
-H "X-Shopify-Access-Token: {access_token}" \
-H "Content-Type: application/json"

{}

Response

JSON
HTTP/1.1 200 OK
{
"risk": {
"order_id": 450789469,
"cause_cancel": false,
"message": "After further review, this is a legitimate order",
"recommendation": "accept",
"score": "0.0",
"source": "External",
"id": 284138680,
"checkout_id": null,
"display": true,
"merchant_message": "After further review, this is a legitimate order"
}
}

Anchor to DELETE request, Deletes an order risk for an order
del
Deletes an order risk for an order
deprecated

Deletes an order risk for an order


Note

You cannot delete an order risk that was created by another application.

Anchor to Parameters of Deletes an order risk for an orderParameters

api_version
string
required
order_id
string
required
risk_id
string
required
Was this section helpful?

Anchor to delete-orders-order-id-risks-risk-id-examplesExamples

Delete an order risk for an order

Was this section helpful?
del

/admin/api/unstable/orders/450789469/risks/284138680.json

curl -X DELETE "https://your-development-store.myshopify.com/admin/api/unstable/orders/450789469/risks/284138680.json" \
-H "X-Shopify-Access-Token: {access_token}"

{}

Response

JSON
HTTP/1.1 200 OK
{}