orcaqubits/shopify-api-rest
dist/codex/shopify-commerce/skills/shopify-api-rest/SKILL.md
"MIGRATION SKILL: Shopify REST Admin API — endpoint patterns, authentication, rate limits, and REST-to-GraphQL migration guide. The REST Admin API is deprecated (October 2024). Use this skill only for maintaining legacy integrations or planning migration to GraphQL."
$ install --global
skillsauthnpx skillsauth add orcaqubits/agentic-commerce-claude-plugins shopify-api-restInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 14, 2026, 6:01 AM134.2s1 file scanned
SKILL.md
- name:
- shopify-api-rest
- description:
- >
- "MIGRATION SKILL:
- Shopify REST Admin API — endpoint patterns, authentication,
Shopify REST Admin API (DEPRECATED)
DEPRECATION NOTICE: The Shopify REST Admin API was deprecated in October 2024. All new development MUST use the GraphQL Admin API. This skill exists for maintaining legacy code and planning migration.
Before writing code
Fetch live docs:
- Web-search
site:shopify.dev rest admin api deprecationfor deprecation timeline - Web-search
site:shopify.dev migrate rest to graphqlfor migration guide - Fetch
https://shopify.dev/docs/api/admin-restfor REST reference (if maintaining legacy code)
REST API Overview (Legacy)
Endpoints
- Base URL:
https://{store}.myshopify.com/admin/api/{version}/ - Resources:
products.json,orders.json,customers.json, etc. - CRUD via HTTP methods: GET, POST, PUT, DELETE
Authentication
- Header:
X-Shopify-Access-Token: {token} - Same OAuth tokens work for both REST and GraphQL
Rate Limits
- Bucket-based: 40 requests per app per store (leaky bucket)
- Headers:
X-Shopify-Shop-Api-Call-Limit: 32/40 - Plus stores: 80 requests
Pagination
- Cursor-based via
Linkheader (not page numbers) rel="next"andrel="previous"links
REST-to-GraphQL Migration
Common Mappings
| REST Endpoint | GraphQL Equivalent |
|---------------|-------------------|
| GET /products.json | query { products(first: 50) { edges { node { ... } } } } |
| POST /products.json | mutation { productCreate(input: {...}) { ... } } |
| PUT /products/{id}.json | mutation { productUpdate(input: {...}) { ... } } |
| DELETE /products/{id}.json | mutation { productDelete(input: {id: "..."}) { ... } } |
| GET /orders.json | query { orders(first: 50) { edges { node { ... } } } } |
| GET /customers.json | query { customers(first: 50) { edges { node { ... } } } } |
Key Differences
| Aspect | REST | GraphQL |
|--------|------|---------|
| Data shape | Fixed response | Client-defined |
| Rate limiting | Request count (40/s) | Cost-based (1000 points) |
| Pagination | Link headers | Cursor arguments |
| Bulk operations | Not available | bulkOperationRunQuery |
| Webhooks | REST endpoint | Same (subscription via GraphQL) |
| ID format | Numeric (12345) | GID (gid://shopify/Product/12345) |
ID Conversion
REST uses numeric IDs; GraphQL uses Global IDs (GIDs):
- REST:
12345 - GraphQL:
gid://shopify/Product/12345 - Convert: prefix with
gid://shopify/{ResourceType}/
Migration Strategy
- Audit existing REST calls — list all endpoints and frequencies
- Map each REST call to its GraphQL equivalent
- Migrate incrementally — replace one endpoint at a time
- Leverage bulk operations — replace paginated REST loops with single bulk queries
- Update error handling — GraphQL returns 200 with
userErrors, not HTTP status codes - Test thoroughly — responses have different shapes
Best Practices
- Do NOT write new code against the REST API
- Prioritize migrating high-frequency REST calls first
- Use bulk operations to replace REST pagination loops
- Update ID handling from numeric to GID format
- Test migration against a development store
Fetch the Shopify REST-to-GraphQL migration guide for exact endpoint mappings and timeline before planning a migration.
Related Skills
orcaqubits/spree-headless-storefront
development
VerifiedTrustedCommunity
Build with Spree's headless Next.js storefront — the official `spree/storefront` repo (Next.js 16 App Router with Server Actions and Turbopack, React 19 Server Components, Tailwind CSS 4, TypeScript 5, `@spree/sdk`, Sentry), server-only auth (httpOnly JWT cookies + publishable key), MeiliSearch faceted catalog, one-page checkout with Apple/Google Pay/Klarna/Affirm/SEPA, multi-region market routing, GA4 + JSON-LD SEO, and Vercel/Docker deployment. Use when forking or customizing the storefront, or evaluating headless adoption.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-extensions
tools
VerifiedTrustedCommunity
Build Spree extensions as Rails engines — gem scaffolding, `bin/rails g spree:extension`, mounting routes/migrations/assets, the modern `prepend` decorator pattern (`*_decorator.rb` with `self.prepended(base)`), generators (`spree:model_decorator`, `spree:controller_decorator`), the four customization surfaces in preference order (Events > Webhooks > Dependencies > Decorators), Spree::Dependencies for swapping service objects, gem release/versioning, and the deprecated Deface engine. Use when building a reusable Spree extension or adding non-trivial customization to an app.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-events-webhooks
development
VerifiedTrustedCommunity
Build with Spree's event bus and Webhooks 2.0 — `Spree::Events` publication, `Spree::Subscriber` DSL with `subscribes_to` and `on`, wildcard matching, lifecycle events (`{model}.created/.updated/.deleted` via `publishes_lifecycle_events`), the canonical event catalog (order.*, payment.*, shipment.*, product.*), Webhooks 2.0 endpoints, HMAC-SHA256 signing (`X-Spree-Webhook-Signature`), exponential-backoff retries, and Sidekiq job orchestration. Use when wiring event-driven business logic, building webhook consumers, or replacing ActiveSupport callback chains.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-dev-patterns
tools
VerifiedTrustedCommunity
Cross-cutting Spree development patterns — the customization preference hierarchy (Events > Webhooks > Dependencies > Decorators), `Spree::Dependencies` service-object swapping, the `_decorator.rb` + `prepend` + `self.prepended` idiom, idempotent subscribers and webhook receivers, multi-store scoping discipline, prefixed IDs, calculator polymorphism (shipping/promotion/tax share the base), service-object composition with `dry-monads` or simple results, why to avoid `class_eval` reopening and Deface, and Spree-on-Rails idioms (Hotwire/Turbo Stimulus, ActiveStorage, Action Cable, Sidekiq). Use when designing the architecture of a Spree extension or solving cross-cutting concerns.
27SKILL.mdUpdated May 14, 2026