Verifying Shopify Webhooks for Public apps

Shopify Partner
23 0 2


I have been looking for documentation on how to verify webhooks for public apps and I am unable to find any. From, what I have gathered, private apps use a WEBHOOK_SIGNED_KEY available at the store admin level. I thought using API Key / API Secret  could be an alternative for public apps, but that doesn't seem to be the case. The below code is what I have tried up till now. 



def verify_hmac(secret, body, shopify_hmac):  
    hash_code ='utf-8'), body, hashlib.sha256)  
    computed_hmac = base64.b64encode(hash_code.digest()).decode()
    return computed_hmac == shopify_hmac

def save_webook_payload(request):
    if request.method == 'POST':

        shopify_hmac = request.headers.get('X-Shopify-Hmac-Sha256')  
        if verify_hmac(SHOPIFY_API_SECRET, request.body, shopify_hmac):  
            return JsonResponse( { 'data': 'Payload Recieved'}, safe = False )
            raise Http404("No such Page")

    raise Http404("No such Page")





Thank you. 

Shopify Partner
132 29 33

Hi shahrukhAhmed,


I had to recently implement the same and it depends on how the webhook is registered. 

If your webhook was registered via API then you need to use your app's API Secret.

Looking at your code you probably just need to encode the body instead of encoding the secret in your verify_hmac function.

This page has an example in python:

- Yes, we build Shopify Apps. Hit me with your idea:
- Let customers preview your products and easily add them to cart with Peek Mode
- Add free, good looking social share icons with built-in analytics to your store with Share Lab
- Manage your new arrivals with Newr