Webhook validation in Javascript/NodeJS

16 0 2


Does anybody knows how to validate a webhook in Javascript?

I'm not sure if what it is being encoded its the request body as string or how. This is the code I have so far:

const digest = crypto
    .createHmac('SHA256', sharedSecret)
console.info('isSameDigest', digest, hmac);
return digest === hmac;

"data" in this case its request.body


Community Manager
Community Manager
451 17 45

Hi Leandro,

Are you saving data as a utf-8 encoded string? It looks like other people have had success this way. Let me know if you continue to have trouble.

New Member
2 0 0



This is the NodeJs that I am using to validate the webhook, and it is not working.  Can you provide any direction?

Thank you in advance.


const express = require('express')
const app = express()
const getRawBody = require('raw-body')
const crypto = require('crypto')
const bodyParser = require('body-parser');
const secretKey = 'SECRET KEY'


exports.webhookChecker = (req, res) => {
const webhook_hmac = req.get('X-Shopify-Hmac-SHA256')


// Create a hash using the body and our key
const hash = crypto
.createHmac('sha256', secretKey)

// Compare our hash to Shopify's hash
if (hash === webhook_hmac) {
// It's a match! All good
console.log('Webhook came from Shopify!');
} else {
// No match! This request didn't originate from Shopify
console.log('Danger! Not from Shopify!')

Shopify Partner
1841 170 510

Try with


.update(JSON.stringify(req.body), 'utf8')

and also, doing a regular equality check isn't recommended as it leaves you vulnerable to timing attacks. Prefer to use safe-compare when checking the 2 hashes.


Looks okay otherwise.

I turn coffee in to code - since 1998
New Member
2 0 0

Thank you Karl.  I tried that, and it is still not working.  I have verified that I am using the correct secret key, I still can't validate the test webhook.  I will implement the safe-compare before I go live, thank you for the suggestion.  


The Ruby and PHP examples reference $data, and I am assuming that the this is just what is returned by req.body.  Is there anywhere, that you know of, that I can see exactly what I should be hashing?

Shopify Partner
1841 170 510

Check koa webhook middleware or express equivalent etc. Quite a few of these out in the wild.

I turn coffee in to code - since 1998

I can confirm that I'm getting the same error, I have similar code in my program:


verifyHmac(data, hmac) {
if (!hmac) {
return false;
} else if (!data) {
return false;
const calculatedSignature = crypto.createHmac('sha256', config.sharedSecret).update(data, 'utf8').digest('base64');
return calculatedSignature === hmac;

however, it still doesn't work. Any help :)

Check out our newest app Daily Deals: https://apps.shopify.com/daily-deals-6
1 Like
Shopify Partner
9 1 0

You need to use the following. You can validate this by generating a hash in liquid then validating with your function.

    {% assign my_secret_string = "no can defense the darce" | hmac_sha256: "protect ya neck fool" %}
    console.log('sha256 {{my_secret_string}}')


function compare_sha256 (inbound_hmac, secret, str) => {
  console.log('secret, str', secret, str)
  var my_hmac = crypto.createHmac('sha256', secret).update(str).digest('hex')
  console.log('inbound_hmac', inbound_hmac, 'my_hmac', my_hmac)
  return inbound_hmac === my_hmac ? true : false