What's your biggest current challenge? Have your say in Community Polls along the right column.

How to match Webhook callback headers from Shopify to knowable information?

Solved

How to match Webhook callback headers from Shopify to knowable information?

pmaierean
Shopify Partner
8 3 0

Hello

 

We are facing a dilemma regarding the usage of any of Headers that Shopify passed during the callback to a Webhook. The list of generic headers (good for all topic) is documented well at at https://shopify.dev/docs/apps/build/webhooks. However, there are two significant issued with them:

 

1. The X-Shopify-Webhook-Id cannot be known by the application upfront because Shopify does not provide any specific API to retrieve that information during install. When the application registers the web hook with a store using the provided API (refer to webhookSubscriptionCreate ), upon success, it return the web hook as 'gid://shopify/WebhookSubscription/1368875729053'. Yet, during the regular processing of the store when a callback is made for that topic, the value provided for the X-Shopify-Webhook-Id comes as '1abc012a-c7b1-4009-bd54-10f18ca4404b'. How can the application know that '1abc012a-c7b1-4009-bd54-10f18ca4404b' is  'gid://shopify/WebhookSubscription/1368875729053' before the callback to validate? 

 

2. The X-Shopify-Hmac-Sha256 cannot be calculated by the same application upfront because that header is based on Store Webhook secret. Any Store has its own such secret. How can an installed application obtain that secret from the Store using Shopify provided API?

Accepted Solution (1)

pmaierean
Shopify Partner
8 3 0

This is an accepted solution.

Meantime, I found out that X-Shopify-Webhook-Id is used by Shopify for tracing purpose, and it is not meant to be used for the validation of the request by the webhook of the application.

Secondly,  X-Shopify-Hmac-Sha256 is obtained with hashing the payload of the request with "Message Authentication Code" (MAC) algorithm using the Secret Key of the application if the webhook is registered using the API. Note that contrasting the HMAC parameter of a GET call which is Hex encoded, the one provided in the POST request header (X-Shopify-Hmac-Sha256) is Base64 encoded therefore visually they display differently (eq. HMAC with hex could be '2535d9f2daea891ae0fcb40c23871a81e1490dd812f175137471c98e1f7f0243' where the same encoded Base64 displays as 'JTXZ8trqiRrg/LQMI4cageFJDdgS8XUTdHHJjh9/AkM=').

View solution in original post

Reply 1 (1)

pmaierean
Shopify Partner
8 3 0

This is an accepted solution.

Meantime, I found out that X-Shopify-Webhook-Id is used by Shopify for tracing purpose, and it is not meant to be used for the validation of the request by the webhook of the application.

Secondly,  X-Shopify-Hmac-Sha256 is obtained with hashing the payload of the request with "Message Authentication Code" (MAC) algorithm using the Secret Key of the application if the webhook is registered using the API. Note that contrasting the HMAC parameter of a GET call which is Hex encoded, the one provided in the POST request header (X-Shopify-Hmac-Sha256) is Base64 encoded therefore visually they display differently (eq. HMAC with hex could be '2535d9f2daea891ae0fcb40c23871a81e1490dd812f175137471c98e1f7f0243' where the same encoded Base64 displays as 'JTXZ8trqiRrg/LQMI4cageFJDdgS8XUTdHHJjh9/AkM=').