Webhook Validation

Highlighted
Shopify Partner
2 0 1

Hi – I create a new webhook (order payment event) via the API. Do I use my Shopify “shared_secret” to validate the “X-Shopify-Hmac-SHA256” token passed in the header of the request? I am using .Net to validate the token – does anyone have sample .Net validation sample code?

1 Like
Highlighted
Shopify Staff
Shopify Staff
1555 81 278

I don't have a .Net code snippet to share, but the algorithm can be seen in Ruby and PHP here: https://help.shopify.com/en/api/getting-started/webhooks#verify-webhook

You are correct in that you use the shared_secret as set in your partner dashboard to validate the HMAC. In the example, `data` is the stringified JSON, and the actual values being compared are the Base64 representations of the HMAC, so make sure you encode your HMAC as Base64 before comparing.

Cheers.

0 Likes
Highlighted
Tourist
3 0 0

Does anyone have the .NET code example?

0 Likes