Async Callback target IP Ranges/Host Name(s)

Highlighted
New Member
2 0 0

The Hosted Payment SDK supports an asynchronous callback by which my server will send an HTTP POST to Shopify. The docs indicate that my server should post to x_url_callback. The documentation provides https://myshopify.io/ping/1 as an example. In testing I can see that this value is of the from https://store-name.myshopify.com.

 

I'm looking for answers to the following questions so that I can understand how to whitelist outbound requests to Shopify that originate from my network.

 

  1. Are there any guarantees as to which IP Address ranges will be used for the callback endpoint(s)?
  2. Are there any guarantees as to which domain name(s) will resolve to the callback endpoint?  For example, will it always be *.myshopify.com?
  3. Is there one static URL that can be used in conjunction with the HOST header? For example, can I POST to https://shop.myshopify.com and set the HOST header to store-name.myshopify.com

 

 

 

 

 

0 Likes
Shopify Staff
Shopify Staff
625 83 89

Hey @jt2112,

 

No guarantees to the first two, and I don't believe #3 is possible - were you able to test this?

0 Likes
Highlighted
New Member
2 0 0

Just to be clear:

 

Are you saying that the x_url_callback can contain any domain name, for example: mybookstore.com?

0 Likes
Highlighted
Shopify Staff
Shopify Staff
625 83 89

x_url_callback appears to start with checkout.shopify.com - but this isn't guaranteed and could change in future.

0 Likes