Invalid hex characters in request HMAC query parameter?

Invalid hex characters in request HMAC query parameter?

Shopify Partner
20 3 2

In May I've seen 3 occurrences of invalid hex characters in a very small number of requests. For example, I'm seeing requests to my OAuth callback endpoint with a query parameter that looks like:



I was under the impression from the documentation that:


> The message is authentic if the generated hexdigest is equal to the value of the hmac parameter


Is this a malicious actor/test that I'm validating the requests correctly, or have I misunderstood the implementation required for HMAC validation (that it is always a hex string)?


Reply 1 (1)

Shopify Staff (Retired)
254 20 48

Requests to the OAuth callback endpoints should always be hex encoded, but it's worth mentioning that hmac values for webhooks are base64 encoded (which this value looks to be).

You may want to check to make sure that a few webhooks aren't sneaking into this route, but your assumption that OAuth hmac callbacks are hex values is correct.

Shayne | Developer Advocate @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit or the Shopify Web Design and Development Blog