Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
When I create a webhook using the UI, I am able to receive and validate the webhook using the hmac. However, the same isn't working for webhooks I create using the API. Using a very simple webhook (collections/delete), I was able to demonstrate that the hmacs being generated by the two webhooks - both firing off the same event - are different. Here are the requests:
Manually created:
POST /api/webhook/shopify HTTP/1.1 Content-Type: application/json X-Shopify-Topic: collections/delete X-Shopify-Shop-Domain: mysite.myshopify.com X-Shopify-Collection-Id: 84385726550 X-Shopify-Hmac-Sha256: nEGA/M31XeT24ZQy/zKylj2cmfamlUMO+Xm1uZ2odNs= Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3 Accept: */* User-Agent: Ruby Content-Length: 42 Connection: close Host: mysite.ngrok.io X-Forwarded-Proto: https X-Forwarded-For: 35.226.161.123 {"id":84385726550,"published_scope":"web"}
Created through API:
POST /api/webhook/shopify HTTP/1.1 Host: mysite.ngrok.io User-Agent: Shopify-Captain-Hook Content-Length: 42 Accept: */* Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3 Content-Type: application/json X-Shopify-Collection-Id: 84385726550 X-Shopify-Hmac-Sha256: Qi2OOF3ZoHRWEvhUsCzrsvvmbzYksQhTYAN9itZMZsM= X-Shopify-Shop-Domain: mysite.myshopify.com X-Shopify-Topic: collections/delete Connection: close X-Forwarded-Proto: https X-Forwarded-For: 35.237.40.160 {"id":84385726550,"published_scope":"web"}
Any ideas on why these two hmacs would be different? My first thought was that maybe the API-generated webhooks had a different signing key, but I haven't found a reference to this.
Any ideas on what might be going wrong?
Solved! Go to the solution
This is an accepted solution.
Arg, so, this is solved. Here's the relevant section from the documentation:
Webhooks created through the API by a Shopify App are verified by calculating a digital signature. Each webhook request includes a base64-encoded X-Shopify-Hmac-SHA256 header, which is generated using the app's shared secret along with the data sent in the request.
So indeed, it's a different signing key.
This is an accepted solution.
Arg, so, this is solved. Here's the relevant section from the documentation:
Webhooks created through the API by a Shopify App are verified by calculating a digital signature. Each webhook request includes a base64-encoded X-Shopify-Hmac-SHA256 header, which is generated using the app's shared secret along with the data sent in the request.
So indeed, it's a different signing key.