| description | Protect against bots, cart permalink exploits, and other unauthorized orders by requiring specific customer tags to purchase products with specific product tags. |
|---|
{% hint style="info" %} Checkout validation is great for preventing unauthorized purchases — stopping bots, restricting high-demand products to approved customers, or enforcing wholesale/access rules at the point of sale. {% endhint %}
Unlike Locksmith's locks and keys system — which controls access to storefront pages and content — checkout validation runs directly in checkout. This means it catches attempts to bypass storefront restrictions entirely, including direct-to-checkout links and cart permalink exploits. A tagged product cannot be purchased unless the customer has one of the required tags, regardless of how the cart was assembled.
Because checkout needs to remain fast and efficient, Locksmith's checkout validation is limited to tag-based rules and cannot evaluate your full suite of key conditions. For more complex access control, use Locksmith's locks and keys on the storefront side in addition to checkout validation. Checkout validations are just a way to add a layer of extra checkout protection and, outside of specific circumstances, are often unneeded.
Each rule targets up to two product tags and up to two customer tags. A product matches if it has either product tag; a customer passes if they have either customer tag. You can create up to 25 rules per store.
- Locksmith installed on your store
- Products tagged appropriately in Shopify
- Customer tags set up for the customers you want to allow
- Open the Locksmith app from your Shopify admin.
- Click Settings in the navigation.
- Scroll down to the Checkout validations section.
- Check Enable checkout validations.
- Click Save.
After saving, Locksmith will prompt you to approve the write_validations permission. This is required for Locksmith to create and manage checkout rules in Shopify.
{% hint style="warning" %} Any existing Locksmith checkout validation rules (created via an older version of Locksmith) will be automatically removed when you grant this permission. You will need to recreate them here in the Locksmith settings UI. Checkout rules created by other apps or directly in the Shopify admin are not affected. {% endhint %}
Once the permission is approved and you return to the Settings page:
- Under Checkout validations, click Add checkout validation.
- Fill in the rule:
- Product tags — the tag (or tags, comma-separated) on products that require validation. For example:
wholesale-onlyorrestricted, members-only. - Customer tags — the tag (or tags, comma-separated) a customer must have to be allowed through. For example:
wholesaleorapproved, vip. - Error message (optional) — the message shown to blocked customers. You can use
{{product_title}}to include the product name. Leave blank to use the default message.
- Product tags — the tag (or tags, comma-separated) on products that require validation. For example:
- Make sure Active is checked.
- Click Done.
- Click Save at the top of the page.
{% hint style="info" %} Each field supports up to two comma-separated tags. If you enter more, only the first two will be used. {% endhint %}
Use a private browsing session (without the customer tag) to verify the rule blocks checkout, and a second test with an account that has the tag to confirm it passes through.
how-to-use-a-private-browsing-session.md
- Rules can be toggled on or off individually using the Active checkbox without deleting them.
- Click Edit on any rule to update tags or the error message.
- Click Delete to remove a rule entirely.
- You can have up to 25 rules active at once (a Shopify platform limit across all apps).