App must verify the authenticity of the request from Shopify

Shopify Partner
4 0 1

I got rejected because of App must verify the authenticity of the request from Shopify.



Expected HTTP 401 (Unauthorized), but got HTTP 404 from Your app's HTTPS webhook endpoints must validate the HMAC digest of each request, and return an HTTP 401 (Unauthorized) response when rejecting a request that has an invalid digest. Learn more about securing mandatory GDPR webhooks


..but going to that link does return 401 response. any thoughts??

Replies 2 (2)

Shopify Staff
30 5 14

Hey Todrick,


Thanks for contacting us. From the situation you explained and after a quick test: the URL you're providing does respond a 401 on GET requests but not on POST request (it responds with a 404)! You'd just need to make the endpoint handle POST requests (all webhooks are sent with that method).


I hope this solves your problem!




Cédric | Developer @ Shopify

To learn more visit the Shopify Help Center or the Community Blog.

Shopify Partner
6 0 0

Hi, if you're working in ruby on rails.

You can try including WebhookVerification module from shopify app gem by adding the following line to your webhooks controller:

include ShopifyApp::WebhookVerification

This module has a before action which verifies the requests against the hmac header and returns 401 unauthorized in case request wasn't sent from shopify.