I created a webhook of type order creation from the Shopify admin (not the partner dashboard). Once you create a webhook over there it gives you a key and it says: "All your webhooks will be signed with "key here" so you can verify their integrity". that is not the API key nor the API secret key that appears on the Shopify partners dashboard when you create an app.
Now, I followed every tutorial on how to encrypt the body of the request and compare it to the HMAC. this is my code, which is the same that appears on every tutorial online (btw I do get the body just fine and the endpoint on my server works):
I have tried every key in my possession. I am using no middleware. The req.body does return the body. req.headers returns the headers (and the HMAC) just fine. the requests are coming through. However nothing that I have done makes it so that the hash is the same as the HMAC, but it should as the code is the same as that everywhere else I look online. I also tried to compare the values with safe compare but the hashes are completely different from each other.
Does anyone have any idea why this is not working?