FROM CACHE - en_header

When shopify redirects to return_url for Billing API, no hmac/signature or shop domain sent

Shopify Partner
1 0 2


For almost all the APIs where a redirect or server-to-server API call happens from Shopify end, we get a hmac/signature along with the shop domain to validate if the call originated from shopify. If there any specific reason why the same is not the case when Shopify redirects to return_url that we send while creating a ApplicationCharge/RecurringApplicationCharge using the Billing APIs?

During the redirect, we are only provided with the charge_id as the URL param. Are we expected to maintain a mapping of charge id to shop domain on our end to figure out which shop's access token has to be used to be able to get the ApplicationCharge/RecurringApplicationCharge and to activate it?

Replies 6 (6)
Shopify Partner
1 0 1

I'm also seeing this behavior. Can anyone confirm whether this redirect deliberately does not have both the shop and hmac query string params?

Shopify Partner
42 1 39

I'd like to know why this behaviour seems to be inconsistent with the rest of the platform too. It makes things rather more awkward than they need to be.

5 1 0

any resolution here?  Having the same issue

Shopify Partner
10 1 2

Yeah I'm seeing this behaviour also. However, if I leave the return_url blank, then it seems to default to the install url from the app settings with hmac included.

Shopify Partner
201 9 61

There are old threads in this forum about this strange omission with some workarounds mentioned, please do a search. 

Shopify Expert
4828 60 576

I think you can add to this, Admin Links. They get an HMAC in the querystring and the shop name but there is no indication as to how these are used to validate incoming calls to an App. So when we are using JWT, what are we to do when we get Admin Links as well as this issue with the billing.

As for Billing, I had usually already setup a session, so when Shopify calls the return URL it is already tagged to a session for the store, but I can see how that would not be true for a lot of other use cases.

Custom Shopify Apps built just for you!