Webhook Hmac verification fails

New Member
2 1 1



I've created a webhook through the API. I'm using php and the routine described https://help.shopify.com/en/api/getting-started/webhooks#verifying-webhooks to verify the integrity of the response.

The calculated Hmac that I obtain is not correct. I have the shared secret to verify the webhook from de private app dashboard and I have the X-Shopify-Hmac-SHA256 from the header of the request. If I check the the calculated hmac through https://www.freeformatter.com/hmac-generator.html, with my secret and the json data received, the hmac is the same that comes into X-Shopify-Hmac-SHA256 header.


I searched by the web and I have tried everything unsuccessful. Shared secret has hex codification and X-Shopify-Hmac-SHA256 base64 codification, I have codificated the two keys to base64 but it doesn't work.

Other thing that I saw was to delete something parameter from the query string header, but that filed comes empty for me.


Help is always welcome. Thanks in advance!

1 Like
New Member
2 1 1

This is an accepted solution.

Solved: I was defining the secret_shared as $shared_secret = 'xxxxx...' instead of define('shared_secret', 'xxxxx...'). It seems define() declares a global variable with a fix value and it can be called from any part of the code.

25 3 5

i just found this answer, but no code example, here is how i'm doing, and it its working:


data is just:


$data = file_get_contents("php://input")

The verify function:



private  function hashHMAC($hmac, $data, $shared_secret)
        $hmac = bin2hex(base64_decode($hmac));
        $computed_hmac = hash_hmac('sha256', $data, $shared_secret);

        return hash_equals($hmac, $computed_hmac);