SHA256 HMAC Verification on requests generated by app extension.

New Member
1 0 0

Created an APP extension that adds a post orders button to the orders action. After selecting an order and clicking the post butoon shopify sends this raw request.

GET /data?hmac=ec80a0468b4414504a6ff57de52ed8030e84f489b47f1b9830e91cb1f4203fc7&ids%5B%5D=934477070451&locale=en& HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
X-Forwarded-Proto: https

Spent hours looking for documentation.  I have been hashing the following string based on my interpetation of the docs I have read.


If you are wondering what method I am using to hash I am using a xojo routine that looks like this:

 sha256 = Crypto.HMAC("my secret", body, Crypto.Algorithm.SHA256)

If any one has any help or suggestions they are greatly appreciated. I apologise if I have created a duplicate thread or asking on the wrong forum. I have seen some people mentioning that undocumented protocol=https:// needed to be added as part of the body, tried it no luck.

Shopify Staff
Shopify Staff
971 6 130

The first thing I'm noticing is the ampersand at the beginning of your string (&). Is that intended? Everything else looks fine from what I can tell. There was a period where we were mistakenly including a `protocol` parameter which we have since resolved, so that shouldn't be anything to worry about unless you're seeing it on your end.


New Member
2 0 0


I am having some kind of the issue.
I added an Admin Link on "Orders action drop down".

I select 2 orders then click on my app Admin Link, I got a URL with :

Problem is I can't find a way to verify that the request comes from Shopify...
On my code I manage to get the query parameters and prepare for HMAC validation.

Here is an example of what I get :

    [0] => ids[]=833580236913&ids[]=831146786929
    [1] => locale=en
    [2] =>
    [3] => timestamp=1545221008

In PHP, I check the HMAC:

$calculated_hmac = hash_hmac('sha256', implode('&', $params), API_SECRET);

// $hmac is hmac from the request query.
return hash_equals($hmac, $calculated_hmac);

But hash_equals always returns false...

I think the problems comes from the way I deal with the array of ids because when I try the same code for an Admin Link on "Order details" then I only have 1 parameter id=123456789 and my HMAC validation works.

Anyone can help me about how to deal with ids array ?

New Member
2 0 0

Anyone ?