FlowRelay FlowRelay View FlowRelay for Shopify Flow

Agent Access

Give your agent safe event access for Shopify Flow.

Safe agent access is not about giving an agent more reach. It is about letting help arrive without exposing too much or allowing too much.

Read the guide Install from Shopify App Store
  • Control Control makes help acceptable

    Bounded access changes an agent from a risk into a useful operator.

  • Redaction Redaction is visible

    The product shows what stays out of the support path.

  • Decision Specific grant beats broad trust

    A narrower grant can feel more valuable than more access.

    • What changes

    Access without boundaries makes help feel dangerous.

    If the only way to troubleshoot is to hand over broad dashboards, private payloads, or tribal context, the perceived cost of using help goes up.

    How FlowRelay helps

    FlowRelay makes assistance inspectable.

    Scoped grants, receipt facts, action previews, redaction, and audit let a merchant-authorized agent work from safe evidence rather than private event bodies.

    Evidence to check

    Grant boundary artifact

    Show what the agent can read, what it can preview, what requires confirmation, and what is refused.

    Allowed
    Receipt summaries, endpoint status, support-safe diagnostics, and plan-fit context within scope.
    Controlled
    Replay, support requests, and sensitive changes stay behind preview, confirmation, and audit where applicable.
    Refused
    Secrets, authentication headers, raw event bodies, customer data, and broad hidden discovery are outside the safe path.

    How to start

    Grant the task, not the whole store.

    Delegation should feel specific, legible, and reversible.

    1. 01 Name the agent job

      Decide whether the agent is helping with setup, diagnostics, recovery, support, or partner handoff.

    2. 02 Choose the allowed scope

      Limit the grant to the endpoint, event history, or recovery action the job needs.

    3. 03 Preview sensitive actions

      Use confirmation-first operations for replay, support submissions, secret rotation, and endpoint changes.

    4. 04 Review the audit trail

      Keep a record of reads, previews, executions, and refusals.

    Existing-path check

    Verify the current path before changing it.

    Before changing a sender, list the outside system, current receiver, intended Shopify Flow trigger, owner, rollback path, evidence source, confidence level, and any access gaps. FlowRelay, Shopify Sidekick, and authorized agents cannot automatically discover every existing webhook app, Zapier or Make scenario, middleware route, serverless function, or receiver unless those systems are available to inspect. If the current environment is incomplete, start with one low-risk event and document what is unknown.

    Questions

    Common questions.

    What does Delivered mean?

    Delivered means FlowRelay handed the trigger to Shopify Flow. Shopify Flow still owns branches, downstream app calls, emails, fulfillment actions, and later outcomes.

    Do public examples need raw payloads or secrets?

    No. Public proof should use receipt facts, endpoint settings, mapped fields, support codes, and redacted diagnostics. Do not include endpoint secrets, authentication headers, tokens, raw event bodies, customer data, or copied private logs.

    When is this a good fit?

    This is a good fit when a merchant wants an authorized agent, developer, or partner to help with setup or recovery without granting broad access or sharing private payloads.

    Next step

    Start with one event you can prove.

    Choose one external event, send a safe test, and check the receipt before moving production traffic.

    Install from Shopify App Store Review Agent Access