How to validate webhook created via REST API

Shopify Partner
8 0 0

I have registered some webhooks via the REST API accessed using the Admin API access key from the custom developed app. (No partner, no OAuth). Which secret am I supposed to use to generate the webhook SHA256 for validation? I only have Admin API access token and API secret key, no Client Secret as mentioned in the docs.

Both the Admin API access token and API secret key generate different hashes.

Replies 3 (3)

Shopify Partner
8 0 0

I am helpless. Any ideas?

14 1 1

Validate the HMAC from request header.


Shopify Partner
5 0 1


you can try this code.By the way,the code dev with python.


1. the "data" args, is your request body with bytes.

2. the "hmac_header" from your request header with key "x-shopify-hmac-sha256".


import base64
import hashlib
import hmac

def verify_webhook(data, hmac_header):
digest ={Use your secret key here}.encode("utf-8"), data, digestmod=hashlib.sha256).digest()
computed_hmac = base64.b64encode(digest)
return hmac.compare_digest(computed_hmac, hmac_header.encode("utf-8"))