Can't create webhooks using Private App API keys.

New Member
2 0 0


I'm trying to automate the creation of webhook subscriptions for different stores (and different topics). Our application makes use of private apps API key/password to create and update products. We are now trying to get notifications on order changes using the webhooks API.

I'm making some tests and I'm not able to create a webhook subscription using the API

It always says that the Address for the given topic (orders/create in this case) has already been taken.

I'm instantiating a new session on behalf of a particular shop, using API key and Password for Basic authentication. 

On the other hand, when I create the subscription through the Admin panel, I'm able to create the subscription, but with no luck using the API. We're using Ngrok for receiving HTTPS requests, and when I create the subscription using the Admin panel and send the notification test, I get the request correctly.

Am I missing something? Is it possible to create webhook subscriptions using a private app's API key and password? With the test request, I'm also able to validate the request and all.

Thanks in advance!

Shopify Partner
494 68 102

you can not create webhook subscriptions using a private app's API key and password.
You can do only operation with only APIs that is listed on ADMIN API PERMISSIONS based on read, write or read/write permission. 
refer attached image


If helpful then please Like and Accept Solution.
Skype: jivan.suhagiya
First kind of Checkout Reminder APP:
New Member
2 0 0

I see. I appreciate your help Jivan.

I guess that's why we cannot validate the webhook request using the shared secret created along with the private app's API key and password, right?

We have already decided to create the subscriptions manually using the admin panel and started using the secret shown when you create a new subscription.

Although we receive lots of POST requests that fail to validate the when using either shared secret. Is that a normal behavior?

def valid?(secret, body, hmac) do
  :crypto.hmac(:sha256, shop.api_secret, body)
  |> Base.encode64
  |> String.equivalent?(hmac)

First, we used the shared secret given by the private app but had no luck validating the request. Then switched and started using the one that is shown when the subscription is created and we could validate the requests, the thing is that we suddenly get multiple requests that fail the validation.

Does that sound familiar?

Thanks in advance!

Shopify Partner
29 2 4

You CAN create a webhook using Private API keys.


(Im on ruby on rails using ShopifyAPI gem)

First Connect with from your app to your store:


shop_url =  “https://[APIKEY]:[password]@[SHOPDOMAIN] = shop_url

ShopifyAPI::Base.api_version = '2020-01'


Then Create your Webhook 




Let us help you -