How to validate webhook created via REST API

Broono · ‎12-05-2023

I have registered some webhooks via the REST API accessed using the Admin API access key from the custom developed app. (No partner, no OAuth). Which secret am I supposed to use to generate the webhook SHA256 for validation? I only have Admin API access token and API secret key, no Client Secret as mentioned in the docs.

Both the Admin API access token and API secret key generate different hashes.

Broono · ‎12-05-2023

I am helpless. Any ideas?

Sunil-Kumar · ‎12-06-2023

Validate the HMAC from request header.

SK

OvenGui · ‎12-06-2023

Hi,

you can try this code.By the way,the code dev with python.

1. the "data" args, is your request body with bytes.

2. the "hmac_header" from your request header with key "x-shopify-hmac-sha256".

import base64
import hashlib
import hmac

def verify_webhook(data, hmac_header):
    digest = hmac.new({Use your secret key here}.encode("utf-8"), data, digestmod=hashlib.sha256).digest()
    computed_hmac = base64.b64encode(digest)
    return hmac.compare_digest(computed_hmac, hmac_header.encode("utf-8"))

How to validate webhook created via REST API

How to validate webhook created via REST API

Community Blog Articles