Re: Mandatory webhooks process

Solved

Mandatory webhooks process

wangyun234
Shopify Partner
3 0 0

I would like to confirm some information related to mandatory webhook:
1. When making a request, there will be a payload request body; when responding, we only need to respond with the corresponding status code, such as 200 if the verification is successful, and 401 if the verification fails, that is, no return body is needed.
2. Do these webhooks have to be developed inside the application and then released together with the application? If I am a project in another language, the mandatory webhook definition will not be included in the application code, but included in our own Is this feasible in a project?
3. Does the webhook have to be verified? For example, if I don’t verify it, I will directly return a status code of 200. Is this okay?

Accepted Solution (1)

Liam
Shopify Staff
2807 310 805

This is an accepted solution.

Hi Wangyun234,

 

1. When Shopify sends a webhook to your specified endpoint, it expects a response to acknowledge receipt. You should respond with only a status code - a response body is not expected or used. A 200 OK status code indicates that you've successfully received the webhook. If there's an issue with the webhook verification or any other error, you can respond with appropriate error codes like 401 Unauthorized or 400 Bad Request.

 

2. Webhooks don't necessarily have to be developed inside the main application. They can be part of another service or project as long as they are accessible via a URL. When you register a webhook in Shopify (either through the admin interface or via the API), you provide a URL for Shopify to post data to. This URL can point to any accessible endpoint, whether it's part of your main app or a separate service. As long as the endpoint is live and can handle incoming webhook data, it doesn't matter if it's released with your main application or separately.

 

3. Shopify provides a mechanism to verify webhooks to ensure they are genuinely coming from Shopify. This is done by calculating a digital signature and comparing it to the one Shopify sends in the X-Shopify-Hmac-SHA256 header. Webhook verificationis not mandatory - you could choose to trust every incoming request and respond with a 200 OK without verifying. However, this is not recommended for security reasons. Without verification, your endpoint is open to potential abuse, where malicious actors could send fake webhooks.

 

Hope this helps,

Liam | Developer Advocate @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

View solution in original post

Replies 2 (2)

Liam
Shopify Staff
2807 310 805

This is an accepted solution.

Hi Wangyun234,

 

1. When Shopify sends a webhook to your specified endpoint, it expects a response to acknowledge receipt. You should respond with only a status code - a response body is not expected or used. A 200 OK status code indicates that you've successfully received the webhook. If there's an issue with the webhook verification or any other error, you can respond with appropriate error codes like 401 Unauthorized or 400 Bad Request.

 

2. Webhooks don't necessarily have to be developed inside the main application. They can be part of another service or project as long as they are accessible via a URL. When you register a webhook in Shopify (either through the admin interface or via the API), you provide a URL for Shopify to post data to. This URL can point to any accessible endpoint, whether it's part of your main app or a separate service. As long as the endpoint is live and can handle incoming webhook data, it doesn't matter if it's released with your main application or separately.

 

3. Shopify provides a mechanism to verify webhooks to ensure they are genuinely coming from Shopify. This is done by calculating a digital signature and comparing it to the one Shopify sends in the X-Shopify-Hmac-SHA256 header. Webhook verificationis not mandatory - you could choose to trust every incoming request and respond with a 200 OK without verifying. However, this is not recommended for security reasons. Without verification, your endpoint is open to potential abuse, where malicious actors could send fake webhooks.

 

Hope this helps,

Liam | Developer Advocate @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

wangyun234
Shopify Partner
3 0 0

Your answer is exactly what I wanted, thank you very much.