How to verify a webhook in an Azure function application?

1 0 0

I am currently having issues verifying a webhook. 

The webhook is set up to go to an Azure function application. This is the code that I have:

const secret = "EXAMPLESECRET"

function verifyWebhookSignature(req) {
    const signature = req.headers["x-shopify-hmac-sha256"];
    const genSig = crypto.createHmac('sha256', secret).update(JSON.stringify(req)).digest("base64");
    return genSig === signature;

I am unsure if I should be creating an APP and using the API Secret or if I should be using the signature in this screenshot?


Currently it is set to the signature in the screenshot and the genSig never matches the x-shopify-hmac-sha256. I have been testing it with the "Send Test Notification" button in case that helps.
Am I required to create an app? currently I still receive all the information I need in the req's I just want to validate it for security reasons. 


Replies 2 (2)

New Member
19 0 0

Webhooks signature needs app secrets for verification. 


Refer Link 

Shopify Partner
6 0 2

Hi, did you solve this because we are having a similar issue. The 'hmac' never matches doing the following with our secret key or webhook key in Remix:


export async function action({ request }) {
  const hmacHeader = request.headers.get('X-Shopify-Hmac-SHA256');

  const data = request.json();

  const SHOPIFY_APP_SECRET = process.env.SECRET; // Get Shopify secretkey from env variable

  const calculated_hmac = crypto.createHmac('sha256', SHOPIFY_APP_SECRET).update(JSON.stringify(data)).digest('base64');

  // These never match
  // hmacHeader == calculated_hmac;