List GDPR Requests
Retrieve a paginated list of the authenticated customer's own GDPR data requests. Requests are always scoped to the logged-in customer — a customer can never see another customer's requests. Results are ordered newest first by default.
Endpoint
GET /api/shop/gdpr-requestsAuthentication
This endpoint requires an authenticated customer — send the storefront key and a customer Bearer token. See the Authentication page.
GDPR must be enabled
If GDPR data requests are disabled in the store's admin configuration, the endpoint returns HTTP 400 with the message "GDPR data requests are disabled. Please enable GDPR from the admin configuration." The feature has been turned off on the admin side.
Request Headers
| Header | Required | Description |
|---|---|---|
Content-Type | Yes | application/json |
X-STOREFRONT-KEY | Yes | Your storefront API key |
Authorization | Yes | Bearer token (customer login required) |
Query Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
sort | string | id | Sort column: id or created_at. |
order | string | desc | Sort direction: asc or desc. |
page | integer | 1 | Page number. |
per_page | integer | 10 | Items per page. |
Response Fields (200 OK)
The response is a { data, meta } envelope. Each item in data is a GDPR request object.
| Field | Type | Description |
|---|---|---|
data[].id | integer | Request ID. |
data[].type | string | Request type: delete or update. |
data[].status | string | Request status: pending, processing, declined, approved, revoked. |
data[].message | string | The customer's message describing the request. |
data[].email | string | Email address tied to the request. |
data[].revokedAt | string | ISO 8601 timestamp when revoked, or null. |
data[].createdAt | string | ISO 8601 creation timestamp. |
data[].updatedAt | string | ISO 8601 last update timestamp. |
data[].customer | object | The customer who owns the request. |
data[].customer._id | integer | Numeric customer ID of the owner. |
meta | object | Pagination metadata (currentPage, perPage, lastPage, total, from, to). |
Empty Collection
When the customer has no requests, data is an empty array:
{
"data": [],
"meta": {
"currentPage": 1,
"perPage": 10,
"lastPage": 1,
"total": 0,
"from": null,
"to": null
}
}Status Codes
| Status | Meaning |
|---|---|
200 OK | Requests returned. |
400 Bad Request | GDPR is disabled in the store's admin configuration. |
401 Unauthorized | Missing or invalid customer Bearer token. |
403 Forbidden | Missing or invalid storefront key. |

