API webhooks are different than Web webhooks

12 0 1

Hi. Im receiving an error when creating a webhook for "orders/paid" topic, it says "this topic has already been taken", but when I should see it on Settings -> Notifications, there is not. I do not have any other store, this is the only one. I have two different information for the same shop!! api show an "orders/paid" topic and the web show only a "orders/create" topic.


Via API:



Via Web:



If a send a GET, show 2 webhooks that are fine and correctly created via API, but why the web version show other webhooks?!



And the other question:


The webhook events are signed and in the documentation, says "Webhooks created through the Shopify admin are verified using the secret displayed in the Webhooks section of the Notifications page." but when you create via API a webhook, I dont get ANY kind of hash for the validation.


So: are api webhooks one entity and the web webhooks another one? and the web webhooks must be validated with the given hash via web and the api webhooks with the secret api key? it looks like it works in this way but it's strange that the final client could not see all the webhooks created in his store...





Shopify Staff
Shopify Staff
1555 80 246

Webhooks created through through the API are scoped only to the app which created them, so you would not be able to see them in the admin interface, nor would you see the webhooks through the API if you're making the request from a different set of credentials. It works this way to protect apps from interfering with each other, and protect them from unintended merchant interference from within the admin.


For yours second question, are you saying you're not getting a X-Shopify-Hmac-SHA256 header? Because you absolutely should be.


API-created webhooks and Admin-created webhooks are the same, except for how they are signed (as you read in the documentation), an the scopes in which they are accessible (for safety).



12 0 1

Thanks for the response Alex. More clear now how you handle diferently, maybe you should have a notice on the documentation? or I miss it?. For the second question, I wanted so say that with the API Webhook I had to verify with the "secret api" hash not with the given via web, and it's fine! now with the first answer looks obvious.

1 Like