Is there any authentication on the /fetch_stock callback url?

Shopify Partner
3 0 0

We'd like to restrict access to the /fetch_stock callback url[1] so only Shopify can access it.


Is the only option to whitelist Just Shopify's IP range or host name(s) the requests come from, or is there a better way?


If that is the only option, what host names or IP range should be allowed?






Community Manager
Community Manager
606 43 76

Hi @JonahB,


Any request from Shopify will have an HMAC included in the header. In this case you'd be looking for the x-shopify-hmac-sha256 header value. To confirm that this request is coming from Shopify, you would take the query params along with your app's shared secret to calculate the HMAC on your end. If it matches the header value, then you can proceed with any action you'd normally take.


Here's an example:


You get a request to that has the hmac header value of ouZ1IdDNznPwKb1NZNWkkaaA/Xnk7Y0zr54joP56eFk=.


You would use your shared secret of 123 to calculate a base64 hmac string using SHA256.


Let me know if you have any follow up questions! You can read a bit about this process in our webhook documentation, which uses the same hmac validation.



1 Like