Hi Wangyun234,
1. When Shopify sends a webhook to your specified endpoint, it expects a response to acknowledge receipt. You should respond with only a status code - a response body is not expected or used. A 200 OK status code indicates that you've successfully received the webhook. If there's an issue with the webhook verification or any other error, you can respond with appropriate error codes like 401 Unauthorized or 400 Bad Request.
2. Webhooks don't necessarily have to be developed inside the main application. They can be part of another service or project as long as they are accessible via a URL. When you register a webhook in Shopify (either through the admin interface or via the API), you provide a URL for Shopify to post data to. This URL can point to any accessible endpoint, whether it's part of your main app or a separate service. As long as the endpoint is live and can handle incoming webhook data, it doesn't matter if it's released with your main application or separately.
3. Shopify provides a mechanism to verify webhooks to ensure they are genuinely coming from Shopify. This is done by calculating a digital signature and comparing it to the one Shopify sends in the X-Shopify-Hmac-SHA256 header. Webhook verificationis not mandatory - you could choose to trust every incoming request and respond with a 200 OK without verifying. However, this is not recommended for security reasons. Without verification, your endpoint is open to potential abuse, where malicious actors could send fake webhooks.
Hope this helps,
Shopify Discussion
Partners and Developers