HMAC validation on making requests to backend

Shopify Partner
9 0 2

Hi there,


I've created some extension admin links that calls my Nodejs app. What's the best way to validate the HMAC? Is anyone using the shopify-token to create a middleware that verifies Hmac? 

Is this the best way to do it?


Kind regards,

Thank you.



Shopify Partner
13 4 4

Correct the best way to validate that the request hitting you service is in fact being called from Shopify is to generate an HMAC with the query parameters and the shared secret key (your APP private key). The HMACs should then match to confirm that the requestor of the service did originate from Shopify and not from some man-in-the-middle attack. 


I believe the docs explain how to alphabetize the query parameters then using the Node CRYPTO library to encode the HMAC with with your private key. Reminder that you have to percent encode the parameters.

1 Like