PAT vs. OAuth — which do I use?
- Use a Personal Access Token to access your own account’s stores — internal scripts, data exports, back-office automation. No app, no marketplace, no install step.
- Use OAuth to build an app that other merchants install. The app receives tokens scoped to whatever each merchant granted at install time.
How a PAT is scoped
A PAT inherits the identity of the user who created it:- Account — the token is permanently bound to your account. It can only ever read data belonging to that account. This binding is fixed at creation time and does not change afterward.
- Stores — the token can only act on stores where you have a role. If you lose access to a store, the token loses it too.
- Scopes — you choose a subset of your permissions when creating the token (see Scopes below). A token can never exceed the permissions you already hold.
Creating a token
Create and manage Personal Access Tokens from your OrderProtection dashboard:- Click your avatar in the top corner, then select Personal Access Tokens.
- Click Create token, give it a name, and select the stores and scopes it should carry.
- (Optional) Set an expiration date.
- Click Create. The full token is shown once — copy it immediately and store it somewhere safe.
Token format
Personal Access Tokens are prefixed withop_pat_:
Using a token
Send the token as a Bearer token in theAuthorization header — exactly like an OAuth access token:
store_ids query parameter to narrow a request to specific stores.
Available scopes
A Personal Access Token can carry any subset of the following scopes. Scope names use thedomain:verb format.
| Scope | Description |
|---|---|
analytics:read | Read store analytics and reporting data (see the Analytics API) |
order:read | Read order data |
order:update | Create and update orders |
claim:read | Read claim data and status |
claim:create | File new claims |
claim:update | Update existing claims |
order-note:read | Read order notes |
order-note:create | Add order notes |
order-note:update | Update order notes |
order-note:delete | Delete order notes |
fulfillment:read | Read fulfillment data |
fulfillment:create | Create fulfillments |
fulfillment:update | Update fulfillments |
A token only receives the scopes you select and already hold. Selecting a scope you don’t have will be rejected at creation.
Revoking a token
Revoke a token at any time from your avatar → Personal Access Tokens. Revocation takes effect immediately — any further requests using that token return401 Unauthorized.

