Documentation
Feedback
Guides
API Reference
App Development
Storefront Development
VTEX IO Apps
Troubleshooting
Release Notes
Release Notes
2025
2024
2023
2022
2021
2020
2019
Improved
Granular permissions for Seller Register API and Marketplace Network
2 days ago

We have implemented an explicit permissions validation model for Seller and Marketplace Network services, replacing the previous implicit authorization model based on account level. This change is available to all platform users.

You must complete the permission configuration by March 1, 2026. After this date, requests without the proper permissions will be blocked.

What changed?

Previously, any authenticated user with basic account access had implicit permission to operate the Seller and Marketplace Network modules through the API. With this update, the system requires the user or application key (appKey) to have specific access resources associated with their profile to interact with API endpoints.

New access resources

ServiceResourceDescription
Seller RegisterView SellerAllows querying seller data (GET endpoints)
Seller RegisterSave SellerAllows creating and editing sellers (POST/PUT/PATCH endpoints)
Marketplace NetworkAccess the Marketplace NetworkAllows full access to the module

Impact on integrations

Automated requests (ERPs, middlewares, custom integrations) using appKeys that do not receive the new permissions will return:


_10
HTTP 403 Forbidden

Affected endpoints

All Seller Register API endpoints now require View Seller or Save Seller resources depending on the operation:

  • GET requests: Require View Seller
  • POST/PUT/PATCH requests: Require Save Seller

Why did we make this change?

To align the modules with the security principle of Least Privilege, raising the platform's level of governance and security. Key benefits:

  • Permission segregation: Clear distinction between users who only query data and users who can modify configurations.
  • Granular control: Administrators can configure specific access profiles for each use case.
  • Reduced operational risk: Prevention of accidental or unauthorized changes to critical seller configurations.

What needs to be done?

For application keys (appKeys)

  1. Go to Account Settings > User Roles in the VTEX Admin.
  2. Identify the profiles linked to appKeys that make calls to the Seller Register API.
  3. Edit the profile and add the necessary resources:
    • View Seller (under "Seller Register") for read operations
    • Save Seller (under "Seller Register") for write operations
    • Access the Marketplace Network (under "Channels") if applicable
  4. Save and perform test calls to validate.

For Admin users

  1. Go to Account Settings > User Roles.
  2. Identify the profiles of users who interact with sellers.
  3. Add resources according to the required access level.
  4. Validate access to modules in the VTEX Admin.

API validation example


_10
curl --request GET \
_10
--url https://{accountName}.vtexcommercestable.com.br/api/seller-register/pvt/sellers \
_10
--header 'Accept: application/json' \
_10
--header 'X-VTEX-API-AppKey: {appKey}' \
_10
--header 'X-VTEX-API-AppToken: {appToken}'

If the response is 403 Forbidden, the appKey does not have the required permissions.

For more information, see the User Roles documentation and the Seller Register API Reference.

Was this helpful?
Yes
No
FastStore Release Notes — Version 3.95.0
« Previous
On this page