In order to configure our API subscription to shopify order/create webhook, does this API have to be completely open(public) or can we provide an auth key to Shopify so that Shopify would use that key to authenticate/send us the payload when order is created.
We understand that we can validate if the payload was send from Shopify, but that happens after the payload is accepted(on AWS side) and we start the validation of the headers. That still means that our API/endpoint is open to the world and anyone can trigger it (it’s just won’t pass the validation). We wanted to check if we can put that wall one step before the validation and actually not allow anyone without the auth. key(that we’ll provide) to call the endpoint. Please let us know.
Hi @Alternatives ,
If you're using HTTP webhooks, the only thing you can do is include a "key" in the url that you subscribe to the webhook with and then have logic on your API to filter out requests without that "key" passed in. We don't support using an actual auth key.
Alternatively, if you don't want to spin up a public API, you can use an alternative delivery method. Are you using a cloud provider such as AWS or GCP?
Ok, in that case you're better off using our integration with EventBridge. You won't need to validate them either.
See the following for more info