After obtaining a Customer Account API access_token via OAuth, determine the correct Customer Account API GraphQL endpoint — it is at a Shopify-hosted URL specific to your store; check current docs for the exact host pattern
Send a POST request to the GraphQL endpoint with Content-Type: application/json, Authorization: Bearer <access_token>, and a body with a query field containing your GraphQL query
Query the customer root field for profile data: customer { firstName lastName emailAddress { emailAddress } defaultAddress { address1 city country } }
Query customer orders with pagination: customer { orders(first: 10, after: $cursor) { nodes { id name processedAt totalPrice { amount currencyCode } lineItems(first: 5) { nodes { title quantity } } } pageInfo { hasNextPage endCursor } } }
Handle the pageInfo.hasNextPage and endCursor for cursor-based pagination when a customer has many orders; iterate until hasNextPage is false
For address management use the customerAddressCreate, customerAddressUpdate, and customerAddressDelete mutations on the same endpoint
Known gotchas
The Customer Account API GraphQL schema is different from the Admin and Storefront API schemas — field names and types differ; always reference the Customer Account API schema docs rather than copying queries from Admin or Storefront API examples
Access tokens granted by a customer only expose data belonging to that customer; there is no way to query other customers' data with a Customer Account API token — this is by design for privacy isolation
If you store the access_token in a session cookie, ensure the cookie is HttpOnly, Secure, and SameSite=Strict to prevent theft; the token is highly sensitive because it grants access to the customer's full order history
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp