Why your WHOLESALER discount code works for everyone in Shopify guest checkout

A merchant typed the entire problem in two sentences

Here is what one Shopify merchant posted to the community forum in late 2023:

"In my discounts, I have discount codes, a percentage off the order, such as WHOLESALER tagged to specific set of customers, customer_tags CONTAINS 'WHOLESALER'. So Customer Eligibility is set to specific customers. Yet at checkout, all customers can use WHOLESALER discount code. Even if no one is logged in (so checking out as a guest), the WHOLESALER discount code can still be applied at checkout, which is the wrong behavior."

That is the whole bug, in plain English. The thread has been open for fourteen months and it keeps collecting new merchants saying the same thing. In May 2024 another store owner posted: "All discount codes work for all customers (and guests) even if they are supposed to be tied to a certain customer segment." In January 2025: "It's 2025 and I have the same issue. Will it ever be fixed?" A separate thread from October 2023 ended with: "It allowed me to use it even as a guest. Basically anyone with the code could see the discount."

If your store has a WHOLESALER code, a TRADE code, a VIP code, or anything you set to "Specific customers," and the code has ever ended up shared on Reddit, in a Discord, or forwarded by a former wholesale rep, you should assume the same thing is happening to you right now. The retail buyer applying it at guest checkout is getting the wholesale price, and your dashboard shows a clean order.

Why this happens

Shopify's "Customer eligibility — Specific customers" check is a logged-in check. It reads the buyer's customer tags off their account record and compares them to the rule. There is exactly one place those tags live: the customer's account.

A guest checkout has no account. There is an email, a shipping address, a phone, a card, and a browser session. There are no tags, because there is no customer record yet. The eligibility check has nothing to compare against, and Shopify's default behavior is to let the code through rather than reject a buyer who might genuinely be a tagged wholesaler that forgot to log in.

That choice is defensible if you assume every wholesaler religiously logs in before checking out. In practice, most B2B buyers on Shopify don't. They click the checkout button, the cart remembers the code, and the order goes through at the wholesale price without anyone ever proving they belong to the wholesale segment.

You can confirm this in five minutes with your own store. Open an incognito window, add a product to cart, paste your WHOLESALER code, and check out as a guest. If the discount applies, the gap is live.

Why every workaround fails

Most stores that hit this problem cycle through the same three or four workarounds. Each of them looks like a fix and none of them are.

Locksmith and storefront-gating apps. These hide the wholesale catalog or specific products behind a passcode or a customer-tag check. The buyer has to log in or know a passphrase to see the wholesale collection. That is useful for visibility, but it is not the same problem. The retail buyer with the leaked WHOLESALER code is not on your wholesale collection page. They are on a regular product page applying a code they got from somewhere else. Locksmith never sees them.

Wholesale apps that hide the price. B2B/Wholesale apps that show different prices to tagged customers run on the same logic — they switch prices based on the customer record. Guests get retail prices and retail products, which is correct. None of that prevents a guest from typing a wholesale discount code at checkout. The code is the bypass.

Theme-level customer-tag checks. A developer adds Liquid that hides the discount field, the cart, or specific buttons unless the customer is logged in and tagged. This works on the theme. The Shopify checkout is not your theme. It runs on Shopify's infrastructure, the discount field is always there, and the code applies regardless of what your theme tried to hide.

Forcing login at checkout. This is the closest thing to a real fix, and it has its own cost. Forcing every buyer to create an account before checking out kills your B2B conversion rate. The wholesalers you want to keep are also the buyers most likely to abandon a forced-login flow because they're placing a quick reorder from their phone. You are trading a discount leak for a conversion leak, and the conversion leak is usually bigger.

The four workarounds together describe the shape of the gap. Storefront tools control visibility. Pricing tools control what tagged customers see. Theme code controls what your storefront shows. None of them control what happens at checkout when a code is applied. That is a different layer, and the layer is empty by default.

What this costs

Wholesale margins are thin. The whole point of a wholesale tier is that it strips most of the retail markup out in exchange for volume and predictability. A retail buyer who applies your wholesale code at guest checkout is collecting the volume discount on a single retail-sized order. They are not buying a pallet. They are buying one unit at the price you set for someone buying fifty.

Run the numbers on your own store. If your wholesale tier is 35% off retail and your retail margin is 50%, then a leaked wholesale order earns you 15% margin instead of 50%. One leaked order wipes the margin from roughly three to five legitimate retail orders. If the code has been shared in a coupon community, you are not catching one of these a month — you are catching one a day, and they look indistinguishable from real wholesale activity in your reports until you reconcile the customer list.

The pattern is also durable. Once a code shows up in a coupon-sharing community, it stays there. Cycling the code is a maintenance burden — every active wholesaler has to be notified, the new code distributed, and the old one retired. Most stores cycle once and then quietly stop, which means the leaked code from 2024 is still working in 2026.

How OfferGuard validates customer-tag eligibility in guest checkout

OfferGuard runs a server-side function inside Shopify's checkout. When a code is applied, the function reads the code, looks at the buyer in front of it, and decides whether to honor the discount.

The piece that makes guest checkout work is that OfferGuard maintains a persistent identity for the buyer that does not depend on whether they're logged in. The same buyer who has placed orders before at the same email, address, or phone shows up as the same buyer the next time they check out, even if they're a guest, even if they used a different email this time. The eligibility rule runs against that persistent profile, not against a tag on a Shopify customer record that only exists when someone is logged in.

You configure the rule the way you'd expect: this code requires the buyer to match the WHOLESALER profile, or the TRADE profile, or whatever segment you defined. When a guest applies the code, the function checks the buyer's identity signals against the segment, and:

• If they match the segment, the discount applies and checkout continues normally.
• If they don't match, the action you configured runs. The most common one is "deduct" — the discount comes off, the cart shows the regular price, and the order proceeds at full price. The buyer can decide whether to continue. There's no error message, no popup, no public accusation.

Other actions are available. You can block the checkout entirely, hold the order for review, or apply a different rule. Most stores running this on a wholesale code use deduct, because the buyer still might want to buy the product at retail and there's no reason to push them away.

The whole thing runs in the same checkout the buyer is already in. There is no redirect, no extra page, no required login. The wholesaler who never logs in and just pastes their code keeps getting their price, because their email and address match the wholesale profile. The retail buyer with a leaked code gets the cart at full price, because their identity doesn't match.

Beyond wholesale: the same gap shows up everywhere

The wholesale code is the loudest version of this problem because the discount is the largest. The same gap exists for any code your store ties to a customer segment.

• VIP pricing. Your top 100 customers get a permanent 15% off code. The code leaks. Now everyone gets 15% off.
• Member-only sales. Subscribers to your loyalty program get a private sale code. A screenshot ends up on Twitter. Your private sale is now public.
• Trade pricing for artists, salons, contractors. A licensed cosmetologist gets a trade code for professional products. The code travels home with their friends.
• Friends-and-family. Employees get a 30% F&F code at the holidays. By January it has been forwarded to roughly 40 people who are not friends or family.

The fix is the same for all of them. The eligibility rule lives at the segment level, the validation runs at checkout, and the discount only honors for buyers whose identity matches the segment.

A few common questions

What about new wholesalers who haven't been tagged yet? You handle them the same way you do today. When you onboard a wholesaler, you add them to the segment. Once they're in, the code starts working for their identity. Until then, the rule treats them as retail and the code falls off — which is the correct behavior, because they are in fact not a wholesaler yet from your store's perspective. Most stores set up a short approval flow that adds the buyer to the wholesale segment before sending them the code in the first place, which means the code and the access arrive together.

Does this break our existing storefront login flow? No. OfferGuard runs at checkout, after the buyer has decided what they're buying and applied a code. Your storefront, your wholesale collection, your B2B login page, and your customer accounts continue to work exactly as they do today. Logged-in wholesalers continue to log in. Guest wholesalers stop being a leak.

Can I have different rules for different tags? Yes. Each rule can target a different segment, code, or set of products. You can have one rule for WHOLESALER, a different rule for TRADE, a different rule for VIP, and they run independently. The Sentinel plan is unlimited rules.

What does the buyer see when the code is rejected? With the deduct action, the discount line disappears from the cart and the regular price shows. There is no error popup, no warning, and no message accusing the buyer of anything. The cart simply shows what the order costs at retail, and the buyer decides whether to continue. With the block action, the buyer sees a checkout error and the order can't be placed at all. Most stores choose deduct for wholesale codes because converting the leaked-code user into a retail buyer at full price is better than losing them.

What if the same wholesaler uses two different shipping addresses (warehouse and storefront)? OfferGuard's identity profile combines several signals — email, phone, billing address, browser, and others. A single wholesaler shipping to two addresses still resolves to one identity, because the other signals tie them together. Multi-location B2B accounts work normally.

Is this real-time? Yes. The validation runs server-side inside the checkout, in the same request that applies the discount. Buyers don't wait, and there's no after-the-fact email asking them to verify anything.

Closing the gap

The Shopify thread that started this article is still open. Merchants are still posting on it. Shopify has not changed the underlying behavior, and there's no signal that it will — the "Specific customers" eligibility check on a discount code is a logged-in check, and that's how the platform is designed.

The fix is to add the layer Shopify doesn't include: server-side identity validation at checkout, running against a persistent profile of the buyer, regardless of whether they're logged in. That layer reads the code, checks the buyer, and decides whether the wholesale price is the right price for this order.

OfferGuard is in the Shopify App Store. The free plan covers one rule and 50 checks a month, which is enough to point a single rule at your WHOLESALER code and see how many leaked-code attempts come through in a week. The Sentinel plan is $29 a month for unlimited rules and unlimited checks, which is what most stores running this against multiple segments end up on.

If your store has a wholesale code that's been around longer than six months, run the test in incognito today. If the discount applies as a guest, you have the gap. The first week of validation usually surprises the merchant — the leaked-code traffic has been there the whole time.

Related reading:

• Why Bubblehouse self-referrals slip through on Shopify (and what catches them)
• One per household: how to enforce address-level purchase limits on Shopify