HMAC verification works on web but not in Shopify mobile app

Shopify Partner
3 0 3

I am using Shopify App Bridge to create an embedded Shopify app.


When a user installs my shopify app, I verify the user by computing the HMAC and comparing it with the one that Shopify sends me during the install process.  I compute the HMAC by calling:




This works perfectly when a user visits the app in the web browser through their Shopify admin.  However, when they visit the app in the mobile app the HMAC that I calculate and the HMAC that Shopify provides to me are different.  


Any idea why the HMAC wouldn't be the same for both web and mobile?

Shopify Staff
Shopify Staff
1555 80 253

Hey @trentjones21.


At this time I can't replicate the issue. From what library are you calling HmacSHA256? I don't think this is a part of App Bridge as far as I can tell. When I calculate the HMAC by hand, it computes as expected for both Mobile and the Web.


The params look to be the same across those two platforms too, so I'm at a bit of a loss based on what I see.


Some of my Ruby code:


  def secure_request?(params)
    Rack::Utils.secure_compare(params['hmac'], calculate_hmac(params)) # true or false

  def calculate_hmac(params)
    OpenSSL::HMAC.hexdigest('sha256', SHARED_SECRET, sorted_string_params(params))

  def sorted_string_params(params){|k,v|  "#{k}=#{v}"}.sort.join('&')