Webhook verification process and use bcrypt in addition to sha256

9 0 0

Hi Support,


We have created a PHP based webhook as per shopify guidelines to check order signature. Here is the code:


// Verifying shopify webhook order

function verify_webhook($data, $hmac_header)
  $calculated_hmac = base64_encode(hash_hmac('sha256', $data, SHOPIFY_APP_SECRET, true));
  return hash_equals($hmac_header, $calculated_hmac);

$hmac_header = $_SERVER['HTTP_X_SHOPIFY_HMAC_SHA256'];
$data = file_get_contents('php://input');
$verified = verify_webhook($data, $hmac_header);
Our risk assessment team reviewed the code and told that 'sha256' encryption is weak and deprecated and suggesting to use ‘bcrypt’ in addition to HMAC and provided the following URL:
As we are receiving signature from Shopify through webhook, is there any possibility to apply 'bcrypt' in addition to 'sha256'? Please let us know your thoughts and provide guidance on this.


Shopify Staff
Shopify Staff
180 7 38

For storing passwords, bcrypt is a good option. This is what the linked stackexchange article recommends. Sha256 isn't deprecated, and for HMAC based on a secretkey, the encryption isn't considered weak.

HMAC and password storage are different problems. bcrypt is designed to be purposefully slow to prevent brute force attacks, which is a poor choice for something like webhooks, when you may be processing thousands (or tens of thousands) a second.

1 Like