Introduced granular permissions for Recurrence Policies | HTTP API

Introduced granular permissions for Recurrence Policies

12 December 2025

Composable Commerce

HTTP API

Enhancement

Deprecation

OrdersSecurity and privacy

We have introduced new OAuth scopes specifically for Recurrence Policies to provide more granular permission control. Previously, the view_recurring_orders:{projectKey} and manage_recurring_orders:{projectKey} OAuth scopes controlled access to both Recurring Orders and Recurrence Policies.

With this change:

Users with view_recurrence_policies:{projectKey} scope can view Recurrence Policies as read-only.
Users with manage_recurrence_policies:{projectKey} scope can view, create, update, and delete Recurrence Policies.

The existing view_recurring_orders:{projectKey} and manage_recurring_orders:{projectKey} OAuth scopes will continue to grant access to Recurrence Policies until 16 March 2026 to allow for a smooth transition. On this date, only the new Recurrence Policy-specific scopes will be accepted for Recurrence Policy operations.

We recommend updating your API clients to use the new OAuth scopes as soon as possible to ensure uninterrupted access to Recurrence Policy functionality.

Changes:

[API] Added view_recurrence_policies:{projectKey} and manage_recurrence_policies:{projectKey} OAuth scopes.
[API] Updated the Recurrence Policies API to use the new OAuth scopes.
[API] Deprecated the use of view_recurring_orders:{projectKey} and manage_recurring_orders:{projectKey} OAuth scopes for Recurrence Policy operations.
[Documentation] Added deprecation information to the Deprecation and removals page.