Ecwid (now part of Lightspeed as E-Series) uses a store-owner model with optional staff accounts on paid plans. The store owner has full access, while staff accounts are granted specific permission areas that control which sections of the Ecwid admin they can access.
Permission model overview
Ecwid's access control is straightforward:
- Store Owner -- Single account with full, irrevocable access to all store functionality including billing, API keys, and staff management
- Staff Accounts -- Additional users with configurable access to specific admin sections. Available on Business plan and above.
- App-level access -- Third-party apps request OAuth scopes during installation that define their API access
There are no custom role definitions. Each staff account has individual permission toggles.
Staff account permissions
Staff accounts are managed under Settings > Staff. Each staff member can be granted or denied access to these areas:
- Store Management -- Modify store settings, payment and shipping configuration, and general store setup
- Products -- View, add, edit, and delete products and categories, manage inventory
- Orders -- View and manage orders, process refunds, print invoices and packing slips
- Customers -- View and manage customer accounts and contact information
- Marketing -- Manage discount coupons, abandoned cart recovery emails, and promotional tools
- Design -- Customize the store appearance, edit the Instant Site design, and manage store display settings
- Reports -- Access sales reports, product performance, and analytics dashboards
- Apps -- Install, configure, and remove Ecwid App Market applications
Each permission toggle controls an entire section. There is no distinction between read and write access within a section -- a staff member with Orders access can both view and manage orders.
Managing users in the admin panel
Adding a staff account:
- Go to Settings > Staff in the Ecwid admin panel
- Click Add Staff Member
- Enter the person's name and email address
- Select which permission areas to enable
- Click Invite -- the user receives an email with login instructions
Modifying a staff member:
- Go to Settings > Staff
- Click the staff member's name
- Adjust permission toggles
- Save -- changes take effect on next login
Removing a staff member:
- Go to Settings > Staff
- Click the staff member's entry
- Click Remove and confirm
API access and OAuth scopes
Ecwid's REST API uses OAuth 2.0 for authentication. API access is managed through:
- Store-level API keys -- The store owner can view their store ID and API keys under Settings > API. These provide full access to the store's data.
- App-level OAuth tokens -- Third-party apps installed from the Ecwid App Market request specific OAuth scopes during installation. Each app gets a token limited to its requested scopes.
Common API scopes include:
read_store_profile/update_store_profile-- Store settingsread_catalog/update_catalog-- Products and categoriesread_orders/update_orders-- Order dataread_customers/update_customers-- Customer accountsread_discount_coupons/update_discount_coupons-- Promotionscustomize_storefront-- Inject custom JS/CSS into the storefront widgetadd_shipping_method/add_payment_method-- Register custom shipping/payment handlers
App permissions are set during app registration in the Ecwid developer portal and cannot be modified by the store owner after installation (they approve or reject the full scope set during install).
Analytics and tracking permissions
- Built-in reports -- Ecwid provides sales reports, product performance, and traffic overview under the Reports section. Staff accounts with the Reports permission can view this data.
- Google Analytics -- Connect GA under Settings > General > Tracking & Analytics (or Settings > General > Google Analytics in some versions). Only the store owner or a staff member with Store Management permission can configure this.
- Facebook Pixel -- Configured under Settings > General > Tracking & Analytics > Facebook Pixel. Same permission requirement as GA.
- Custom tracking code -- Add GTM or other scripts under Settings > General > Tracking & Analytics > Custom Tracking Code. This field accepts arbitrary JavaScript that is injected into the storefront. Requires Store Management permission.
- Ecwid Instant Site -- If using Ecwid's built-in website (Instant Site), additional tracking code can be added under the Instant Site settings. Requires Design permission.
A staff member with only Reports access can view analytics data but cannot install or modify tracking scripts. Full analytics setup requires Store Management permission.
Plan-based staff limits
- Free -- No staff accounts (owner only)
- Venture -- No staff accounts
- Business -- Up to 2 staff accounts
- Unlimited -- Up to 2 staff accounts (more available via Lightspeed E-Series plans)
Check your current plan under Settings > Billing & Plans.
Ecwid on external sites
Ecwid is designed to embed into existing websites (WordPress, Wix, Squarespace, custom HTML). User management considerations for embedded stores:
- The Ecwid admin is always at
my.ecwid.comregardless of where the store is embedded - Staff accounts access the same admin panel as the store owner
- Storefront customization via the host platform (e.g., WordPress admin) uses separate credentials from the Ecwid admin
- If the Ecwid store is embedded via the WordPress plugin, the WordPress user who installs the plugin needs the Ecwid store ID and credentials
Security notes
- Ecwid does not support SSO, SCIM, or LDAP for admin accounts
- Two-factor authentication is available for the store owner account
- Staff accounts use email/password login with a separate set of credentials from the store owner
- Session management and timeout settings are controlled by Ecwid and not configurable
- There is no admin activity audit log accessible to store owners
Sub-pages in this section
- Roles and Permissions -- Permission area details, recommended staff configurations, and OAuth scope reference
- Adding and Removing Users -- Staff invitation workflow, credential management, and offboarding