Hi, I'm verifying the validity of incoming webhooks sent by Shopify using the string from the webhook settings and the following code:
const hash = crypto .createHmac('sha256', shopifySignatureSecret) .update(rawBody, 'utf8') .digest('base64')
shopifySignatureSecret is set to the following string from /admin/settings/notifications:
However, in my private app's settings (/admin/apps/private/<app-id>), there is a shared secret:
My guess is that both secrets work:
- Signature string from webhook settings (screenshot 1) can be used to verify webhooks that were registered in the admin UI
- App's Shared Secret (screenshot 2) can be used if I use the Shopify API to register webhooks for my specific app
Is this correct or am I doing something wrong?
Thanks for your help!
Solved! Go to the solution
This is an accepted solution.
Hello, @Macks ! Welcome to the community!
You're correct, since there are 2 types of webhooks:
So the complicated answer is both would work, but only in their respective contexts. Are you testing something temporary / want to create a webhook for a single Shop? Then use 1. Are you developing an app that you want other Shops to be able to use? Use 2.
Hopefully that helps!