Billing API redirect

4 0 2

Every request or redirect from Shopify to the client server includes an hmac parameter that can be used to verify the authenticity of the request from Shopify. For each request, you must remove the hmac entry from the query string and process it through an HMAC-SHA256 hash function.

According to the official documentation, and the APIs used until now, it was expected that my verifyRequest middleware, that was verifying correctly other requests, should accept every request being redirected from Shopify. It happens that when I try to use the Billing API, the request does not comes signed and then doesn't pass in the request verification. Is this an expected behavior? The redirect URL only comes with the query string "charge_id=1234567", different than the other requests that were redirected from Shopify, like the app installation callback URL.


Does any one knows what can be done instead? I thought of accepting the request without verifying it, signing it myself, and redirect myself to the correct endpoint with the verification middleware.


Thank you very much.

Replies 2 (2)
174 13 37

I am having the same problem and found your post. Others have asked this question and have gotten no responses:

This is what I'm going to do (also writing this out for my own benefit to clarify my thinking):

  1. Merchant clicks add app, it routes to{shopOrigin}
  2. At that point I generate an OAuth permissionUrl
  3. They accept scopes and install app and it directs them to my redirecturi (with hmac, etc. appended)
  4. There, I'll check to see if the shop has an active billing scheme and charge_id in my db (they won't) and I'll create the GraphQL for appSubscriptionCreate where my returnUrl also includes ?shop={shopOrigin} and redirect them to confirmation_url to start their trial. 
  5. After that, they land at{charge_id}&shop={shopOrigin} - if the url parameter contains charge_id I'll do another GraphQL request to verify the charge_id is activated and if so, store that in my db 
  6. If the charge id is activated, I effectively re-route them through all of the above again (the same as a returning user effectively) but they'll automatically skip OAuth and they'll pass my billing check and they can enter the app (at which point hmac, etc. gets automatically appended)


After I wrote the above I found this thread where @Joel-Reeds lays out a similar flow so I think I'm on the right track. But good grief, is it supposed to be this laborious for app developers who want to simply publish an app with a trial + monthly subscription? If Shopify already automatically stops billing merchants when they uninstall our app, why can't they do the same when a merchant installs our app?



New Member
3 0 0

I hear you,

I'm struggling just the same...