Initial requirements - HTTPS webhook

12 0 2

Hi guys, 


We're facing this problem before submitting the app. This is the message: "Your app's HTTPS webhook endpoints must validate the HMAC digest of each request, and return an HTTP 401 (Unauthorized) response when rejecting a request that has an invalid digest". 


I have some questions:

1. For now, we have followed the Shopify resources. However, the message is still there. 
Do you know this testing process is automatic or manual? 

We're planning to resubmit if this process is manual.


2. Do you have any new resources to let us know that did we do everything right?

Below is the resource that we have followed:


Happy coding,




Reply 1 (1)

Shopify Partner
588 48 78

This means that the webhook endpoints of your app, which use the HTTPS protocol, must verify the HMAC digest of each incoming request. If the digest is invalid, the webhook should return an HTTP 401 status code, which indicates that the request is unauthorized.

The HMAC (hash-based message authentication code) digest is a way of verifying the authenticity and integrity of a request. It is generated using a secret key that is shared between the app and the service that is sending the request. When the app receives a request, it can compute the HMAC digest of the request using the same secret key and compare it to the digest that was included in the request. If the two digests match, it indicates that the request is genuine and has not been tampered with.

If the digests do not match, it indicates that the request is not genuine and should be rejected. By requiring the webhook to validate the HMAC digest of each request and reject requests with an invalid digest, it helps ensure that the app only responds to genuine requests from trusted sources. This can help protect the app from various security threats, such as man-in-the-middle attacks and replay attacks.