I really don't understand how webhook verification works

New Member
1 0 0

https://shopify.dev/tutorials/manage-webhooks#best-practices I followed this tutorial. But I can't find the same the encoded hash as the one provided in the header. 

Here is how I understood the system:

- We create a HMAC with the secret key given in the webhook admin page and the data sent by the webhook.

Then we encode this hash. Then we compare it to the one given in the header.

My question is: if the  HTTP_X_SHOPIFY_HMAC_SHA256 is base64 encoded, I should be able to decode it and get a sha256 hash right? So why when I decode it I get some unprintable characters?

I really can't find a way to compare the value in the header and my own hash.

Please tell me if I misunderstood how this system works and what im not doing right. Thanks

Shopify Partner
661 46 132

To verify the HMAC you don't decode it. You just hash out what the signature should be (based on what's being sent and your shared secret) and if the hashed value you calculate matches what's sent as the signature...then voila, it's legit. Here it's described in more detail --> https://shopify.dev/tutorials/manage-webhooks#verifying-webhooks.

Hope this helps!