API Webhook IP whitelist?

Josh_Larsen
Shopify Partner
7 0 0

Hello,

I'm trying to setup a callback server to handle the shopify webhooks I create in my app and need to know the possible list of IP's that Shopify will be calling back from so I can setup some firewall rules. Is that list published anywhere?

0 Likes
Josh_Larsen
Shopify Partner
7 0 0

So you're telling me that it doesn't matter if I let the entire world into our internal testing web servers? I beg to differ on this point. Usually API callback systems that do calls out to their clients offer a whitelist for security reasons (ie. Salesforce, Zuora, etc). The whitelist is not about authorizing or authenticating the call, it's about not having to expose our web port to just anyone in order to received a callback from a specific company.

0 Likes
Chris_Saunders
Shopify Staff
Shopify Staff
582 0 49

We don't guarantee what IPs webhooks will come from, no.  The current IP(s) aren't likely to be changed soon / often, but we don't recommend locking to those IPs and we don't currently support doing that, nor do we provide notice if they change.

0 Likes
Josh_Larsen
Shopify Partner
7 0 0

Thanks for the info Chris. While not ideal, we will make adjustments to compensate.

0 Likes