Re: Error Verify Webhooks In Node.js - AWS Lambda

Error Verify Webhooks In Node.js - AWS Lambda

New Member
6 0 0

Hi, I have the following issue:

App must verify the authenticity of the request from Shopify.

Expected HTTP 401 (Unauthorized), but got HTTP 403 from https://******** Your app's HTTPS webhook endpoints must validate the HMAC digest of each request, and return an HTTP 401 (Unauthorized) response when rejecting a request that has an invalid digest. Learn more about verifying a webhook
the code i am using is:



var CryptoJS = require("crypto-js");

exports.handler = async (event) => {

    const { webhook_verify_hash } = process.env;
//get the header with validation hash from webhook
    const hmac = event.headers ? 
        event.headers['X-Shopify-Hmac-Sha256'] || event.headers['x-shopify-hmac-sha256']
        : "";
    var statusCode = 400;
    let firma = CryptoJS.HmacSHA256(event.body, "shpss_*******");
    let calculatedHmac = firma.toString(CryptoJS.enc.hex);

    if (hmac == calculatedHmac) {
        console.log("se va a obtener el token");
        statusCode = 200
    } else {
         console.log("no obtiene el token");
         statusCode = 400

    const response = {
        statusCode: statusCode
    return response;



* How can I test the mandatory webhooks and verify the response that I receive?

Replies 3 (3)

New Member
6 0 0

to verify Hmac also used: 


exports.handler = async (event, context) => {
    let hmac = event.hmac;
    const bodyString2 = Buffer.from(event.body, "utf8").toString();
    var bodyForVerification = bodyString2.replace('/\\/g', '\\\\');

    let firma3 = CryptoJS.HmacSHA256(bodyForVerification, "****");
    var hashInBase643 = CryptoJS.enc.Base64.stringify(firma3);
    let calculatedHmacBase3 = hashInBase643.toString(CryptoJS.enc.hex);
    if(hmac == calculatedHmacBase3 {

 but still the Hmac is different, HELP!!!

Shopify Staff
30 5 14

Hey Luis45,


The problem could come several origins:

- the request body should not be changed

- the request body must be read using the utf8 encoding

- when you create the HMAC signature, the result must then be encoded in base64


I'm not a node.js specialist, but a common pattern I see in node app checking webhook is using the 'crypto' package like this:

const generatedHash = crypto.createHmac('sha256', API_SECRET_KEY)
    .update(reqBody, 'utf8')

Also if you don't know it already, there's a npm package for shopify api and related code:

There are event helpers to help deal with webhooks:


I hope this helps you!




Cedric | Developer @ Shopify

To learn more visit the Shopify Help Center or the Community Blog.

New Member
6 0 0

Hi  @cdarne ,  I'm using  the 'crypto-js' package and this  doesn't have the func "createHmac".  Search the module "'crypto" but I did not find it.  I need the module to upload it to the aws lambda