FROM CACHE - en_header
Promotion image

Why we don't need to verify the webhook when using google pub/sub ?

Why we don't need to verify the webhook when using google pub/sub ?

manit4c
Shopify Partner
28 4 3
‎09-28-2022 06:25 AM

Hi,

i've followed this two tutorial to create register and use a webhook :

https://shopify.dev/apps/webhooks/configuration/google-cloud#google-cloud-pub-sub-message-structure

https://www.youtube.com/watch?v=m9MQyRWnMdU

 

In the first one they say : "unlike with an HTTP webhook, you don't need to perform HMAC verification"

 

I don't understand why, no verification is needed !

How, can i be sure that is shopify who call my google pub/sub route registered in the webhook and not another person with bad intention ?

 

Can someone help me understand this ?

Check out our apps made with love, here:
https://apps.shopify.com/partners/opart
770 Views
0 Likes
Report
Reply 1 (1)

phase0
Shopify Partner
1 0 0
‎11-27-2022 09:52 AM

You gave Shopify's service account explicit permission to trigger your webhook. Only systems with access to that Service Account (which is Shopify) can authenticate using that service account. 

 

Read more about Google's service accounts:

https://cloud.google.com/iam/docs/service-accounts

675 Views
0 Likes
Report

Community Blog Articles

May '25.jpg
Celebrating our Members of May '25

June brought summer energy to our community. Members jumped in with solutions, clicked ...

By JasonH Jun 5, 2025
441285313-63bbef53-3fbe-4e8b-a706-5b37afa90468.png
Automate store operations with Shopify Academy & Coding with Jan

Learn how to build powerful custom workflows in Shopify Flow with expert guidance from ...

By Jacqui May 7, 2025
April 25.jpg
Highlighting our Members of April '25

Did You Know? May is named after Maia, the Roman goddess of growth and flourishing! ...

By JasonH May 2, 2025
Terms of Service Privacy Policy