App development HMAC verification

App development HMAC verification

1 0 0


Do we need to verify the HMAC during the initial app redirect (installation phase)? If yes, which fields in the initial payload are involved? Also, should we validate the HMAC signature when we receive the OAuth2 request with the authorization code? And, which secret should we use for signing the payload? 

Thank you.

Reply 1 (1)

Shopify Staff
1829 271 415

Hey @arkadi-kreichma 

Verify the installation request? Yep, here's how.


Validate authorization code? Yep, here's how.

Which secret key? The secret key is the `client secret` from the Partner dashboard > Select the app.



Scott | Developer Advocate @ Shopify