Can you tell me the IP address range of the Shopify api or the Shopify wehook servers

Shopify Partner
1 0 1


I'm trying to setup a web server to handle the shopify webhooks about order info and get the product Inventory info with the api.

Just like the example

To be safety,I setup some firewall rules and want to make a whitelist of the IP addresses .
so that only Shopify's server can access our server.

I try to google to find something about the IP range of Shopify, but i got nothing.

Can you help me ?

Replies 9 (9)
Shopify Staff
Shopify Staff
1561 81 339

Hey there,

You shouldn't have to be validating that requests are coming from Shopify on the network level. Our webhook requests come with a calculated HMAC signature to verify that the request in fact came from Shopify:


Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

New Member
1 0 9

I know this is an old post, but @Alex, to be blunt that answer is not acceptable.  People whitelist for a lot of reasons, only 1 of which might be to verify the request is coming from you.  I'm running into this now with our Shopify integration and the biggest reason we want to whitelist is not to verify the shopify connection it is to AVOID ALL OTHER CONNECTIONS!   Why expose a service that needs a request from 1 application to the entire world to be attacked and possibly compromised?!?  


Can you confirm if Shopify still hasn't fixed this issue?  It is pretty standard in the industry, even if that whitelist includes entire class-c ranges, to provide IPs for whitelisting for webhooks.  The fact Shopify doesn't take this level of security seriously is very concerning.

New Member
1 0 3

@Alex Can you please provide an answer?

New Member
1 0 3

I also would like an answer to this.

10 2 4

Any traction on this?  This is a very basic and necessary ask.  There must be a CIDR you can provide for whitelisting.

Shopify Partner
2 0 0

Giving this another boost. It's asinine to completely open a server up to connections from any source if there's only a need to accept Shopify webhooks.

New Member
1 0 0

Giving this yet another boost. Like the others have stated, it is ridiculous to not offer an updated IP range to block 99% of the internet from hitting a service that needs to come from a single source. 

Shopify Partner
134 5 28

jI doubt this will be resolved any time soon as it seems requires some infrastructural changes for Shopify backend.

3 0 2

From what i have found the entire IP address space used/owned by Shopify is as follows:

Hopefully this helps someone out there