Journal

Shopify Order.cartToken in GraphQL: why it matters for post-checkout attribution

Shopify's 2026-07 Admin GraphQL API adds Order.cartToken. Here's why that small field matters for cart-to-order stitching, pixel + webhook dedupe, and server-side tracking on Shopify.

Key takeaways

What to remember

Order.cartToken gives apps a cleaner bridge from an order webhook back to the cart/session that produced it.
The practical win is better pixel + webhook dedupe, post-checkout attribution recovery, and debugging when browser context disappears.
Cart tokens should stay internal: useful for stitching, not a field to spray into ad-platform payloads.
Consent still applies; this improves attribution plumbing, not privacy requirements.

Shopify added cartToken to the Admin GraphQL Order object in API version 2026-07. This token matches the existing REST Admin API cart_token field and represents the cart used to create an order.

The GraphQL query to retrieve it is:

Graphql

query EventabeeOrderCartToken($id: ID!) {
  order(id: $id) {
    id
    cartToken
  }
}

This is useful because after checkout, tracking systems often have order webhook data but lack the original cart object. cartToken bridges this gap, allowing for better connection between browser-side and server-side purchase information.

Tracking systems can:

Capture the cart token during checkout.
Map it to browser/session context already collected with consent.
When a webhook arrives without a cart token, fetch Order.cartToken from Admin GraphQL.
Use this token to link the order back to the session.

This creates a more reliable connection than probabilistic fingerprinting and improves several aspects of Shopify tracking:

Pixel + webhook dedupe: More accurately determine if browser pixel and webhook signals describe the same purchase, especially when one side lacks complete data.
Server-side conversion recovery: If the browser event fails but the webhook succeeds, cartToken can reconnect it to a known session, providing more context than treating the order as anonymous.
Better debugging: Pinpoint attribution issues like missing browser context or duplicate events more easily.

Eventabee uses this pattern by:

Storing cart_token → session_id mappings.
Fetching Order.cartToken from GraphQL if absent in webhooks.
Injecting the token into event payloads before merging pixel and webhook data.
Reporting stitch methods (event ID, cart token, email, or none) to show merchants how conversions were connected.

Ultimately, Order.cartToken enhances Shopify tracking reliability by providing a clearer link between pre- and post-checkout data points. It empowers merchants with better insights into conversion attribution and debugging. Remember: cart tokens are internal join keys, not public identifiers to be sent directly to ad platforms. They should be used within the merchant’s consent and privacy framework. Flags: …

Frequently asked questions

What did Shopify change?

Shopify added cartToken to the Admin GraphQL Order object in API 2026-07. The field returns the token associated with the cart that created the order, matching the existing REST Admin API cart_token field.

Why does Order.cartToken matter for attribution?

After checkout, many app surfaces have order context but not the original cart object. Order.cartToken gives apps a deterministic cart-to-order join key that can reconnect server-side order data to pre-purchase browser/session context.

Does this replace consent?

No. Cart-token stitching does not bypass consent or destination rules. It is an internal enrichment key that should still be applied only within the merchant's consent and privacy configuration.

Should cart tokens be sent to Meta, Google, or TikTok?

Usually no. Treat cart tokens as internal join keys for stitching, diagnostics, and reporting. Send only the destination-supported identifiers and fields that are appropriate for the merchant's consent state.

← More from the blog Start a project