GDPR webhooks do not include HMAC

19 0 3

It looks like the GDPR webhooks do not include the "x-shopify-hmac-sha256" headers, so how can we be sure the request is safe to be executed? only by knowing the shop_id, anyone can send a "shop/redact" to an known endpoint to delete the shop data...

Replies 3 (3)

Shopify Staff
5 0 1

Hello! The `X-Shopify-Hmac-SHA256` header is always included in our `customers/redact` and `shop/redact` webhooks. Is there a specific request you've found that is missing it?

To learn more visit the Shopify Help Center or the Community Blog.

19 0 3
Not exactly, is the first time the hashes do not match, so I thought the HMAC was empty... but you are right, I'm sorry, it was our mistake.
Shopify Partner
82 3 8

Hello ,


I am getting `X-Shopify-Hmac-SHA256` header blank before creating charge after auth/callback. 


Can you please share the proper sample code or Any link?  


I am stuck on this since hours 🙂



*If my answer was helpful, then please click like and accept solution
*Looking for a solution to a problem in your store? Email me at:
*My Shopify Apps: