How to properly process customers/data_request webhook requests

Chad_Johnson · ‎03-22-2023

We are implementing the GDPR webhook endpoints in our app and are wondering exactly how to respond to the "customers/data_request" webhook. From the documentation, the request payload looks like this:

{
  "shop_id": 954889,
  "shop_domain": "{shop}.myshopify.com",
  "orders_requested": [299938, 280263, 220458],
  "customer": {
    "id": 191167,
    "email": "john@example.com",
    "phone":  "555-625-1199"
  },
  "data_request": {
    "id": 9999
  }
}

Would our webhook respond with full order data (including "shipping_address", "billing_address", "customer", etc. fields) for the three orders referenced under "orders_requested"?

{
  "orders": [
    {
      // Full Shopify order data here for order 299938
    },
    {
      // Full Shopify order data here for order 280263
    },
    {
      // Full Shopify order data here for order 220458
    }
  ]
}

Or, would the webhook extract just the "customer" field (object) and return that for each referenced order?

{
  "orders": [
    {
      "id": 299938,
      "customer": {
        "id": 6380400443630,
        "email": "customer@example.com",
        "accepts_marketing": false,
        "created_at": "2023-03-22T09:57:02-07:00",
        "updated_at": "2023-03-22T09:57:02-07:00",
        "first_name": "Example",
        "last_name": "Customer",
        "orders_count": 13,
        "state": "disabled",
        "total_spent": "13.00",
        "last_order_id": 5077155873006,
        "note": null,
        "verified_email": true,
        "multipass_identifier": null,
        "tax_exempt": false,
        "tags": "",
        "last_order_name": "#1013",
        "currency": "USD",
        "phone": null,
        "accepts_marketing_updated_at": "2023-03-22T09:57:02-07:00",
        "marketing_opt_in_level": null,
        "tax_exemptions": [],
        "email_marketing_consent": {
          "state": "not_subscribed",
          "opt_in_level": "single_opt_in",
          "consent_updated_at": null
        },
        "sms_marketing_consent": null,
        "admin_graphql_api_id": "gid://shopify/Customer/6380400443630",
        "default_address": {
          "id": 7954574639342,
          "customer_id": 6380400443630,
          "first_name": "Example",
          "last_name": "Customer",
          "company": "",
          "address1": "",
          "address2": "",
          "city": "",
          "province": "Alabama",
          "country": "United States",
          "zip": "",
          "phone": "",
          "name": "Example Customer",
          "province_code": "AL",
          "country_code": "US",
          "country_name": "United States",
          "default": true
        }
      }
    },
    {
      "id": 280263,
      "customer": {
        // etc
      }
    },
    {
      "id": 220458,
      "customer": {
        // etc
      }
    }
  ]
}

nip34 · ‎04-06-2023

I think just a 200 is ok with an empty body. It means you have received the webhook and you have processed it form your side.

This is how we have it now in a 1 year old custom .net implementation.

Question:

But i wanted to ask you Chad how did you setup your gdpr webhooks in your nodejs/react project and panel?

Because we are trying like 2 weeks now without any success.

Panel side: GDPR webhooks urls are what?

- api/webhooks? the callback url in gdpr.js?

- webhooks/your-custom-url?

- /your-custom-url?

Nodejs/React Project: GDPR webhooks come at gdpr.js but i cant seem them to be registered.
So we tried having them in public urls -> no success

We also tried having them in api "protected" urls -> no success

Also while making these changes, we change the admin panel settings above to change the urls.

Any ideas or how did you do it?