Webhooks: Difference between Shared Secret and Signature String from Webhook Settings Page?

New Member
2 0 0

Hi, I'm verifying the validity of incoming webhooks sent by Shopify using the string from the webhook settings and the following code:

const hash = crypto
      .createHmac('sha256', shopifySignatureSecret)
      .update(rawBody, 'utf8')

shopifySignatureSecret is set to the following string from /admin/settings/notifications:

CleanShot 2021-07-15 at 12.41.41@2x.png

However, in my private app's settings (/admin/apps/private/<app-id>), there is a shared secret:

CleanShot 2021-07-15 at 12.40.41@2x.png

My guess is that both secrets work:

- Signature string from webhook settings (screenshot 1) can be used to verify webhooks that were registered in the admin UI

- App's Shared Secret (screenshot 2) can be used if I use the Shopify API to register webhooks for my specific app

Is this correct or am I doing something wrong?

Thanks for your help!

Shopify Staff
Shopify Staff
56 12 14

This is an accepted solution.

Hello, @Macks ! Welcome to the community!

You're correct, since there are 2 types of webhooks:

  1. Webhooks that are registered manually by merchants in their Shop (via /admin/settings/notifications). These are signed with the secret that you see on this page, and will only trigger for that particular shop.
  2. Webhooks that are registered whenever an application is installed (what you see in /admin/apps/private/<app-id>). These are signed with the secret that you see on this page for any Shop that installs your app.

So the complicated answer is both would work, but only in their respective contexts. Are you testing something temporary / want to create a webhook for a single Shop? Then use 1. Are you developing an app that you want other Shops to be able to use? Use 2.

Hopefully that helps!

james-langille | Developer @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

New Member
2 0 0

Hi James, that makes perfect sense. Thanks for confirming!