Stuck on 'App must verify the authenticity of the request from Shopify' with app submission

2 0 0

I really don't know how to fix this, I've submitted my app in the past without any issues.


  1. App must verify the authenticity of the request from Shopify.
    Your app's HTTPS webhook endpoints must validate the HMAC digest of each request, and return an HTTP 401 (Unauthorized) response when rejecting a request that has an invalid digest.Learn more about verifying a webhook
  2. App must be served over HTTPS.
    There was an error connecting to your app. Make sure itsApp URL and Allowed redirection URLwork correctly.

I can even see the Shopify test requests in my backend logs, and they all seem fine to me.


(1) Feb 09 10:36:16 - GET /shopify/token HTTP/1.1 401 43 - 0.982 ms


(2) Feb 09 10:09:35 - GET /shopify/install?hmac=XXXXbfd03f0e9970be6d907a69d24d19ca1fda1db092d6cd0a2e3ba92cb547b2&host=XXXXYnJpZGdldGVzdHNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&session=XXXXcb5baa6de89cb480de8b89c238d860c3c9eb96d0059d68c4580d4907d395& HTTP/1.1 302 950 - 0.727 ms

(3) Feb 09 10:09:36 - GET /shopify/token?code=XXXX45dba979629298c10f422397b834&hmac=XXXXcdb4881cbbdd12fd2b434dcb404bab493df57094ec90aea561ba4b67d17c&host=XXXXYnJpZGdldGVzdHNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg& HTTP/1.1 302 364 - 634.158 ms

I've tried the same requests changing the hmac and it successfully return 401.


I can't see any requests being made for subscribed webhooks, but I tested them myself and they work just fine. What is going on?


I really don't know what else to do or who to talk with...


Replies 5 (5)

Shopify Staff (Retired)
267 40 51



@javioverflow I would recommend reaching out to partner support to find out what the issue is, and if needed we can provide additional support.



To learn more visit the Shopify Help Center or the Community Blog.

Shopify Partner
35 1 6

Hi Csam!

Myself also getting the following Requirements,

Requirements that must be met before initial screening

  1. App must set security headers to protect against clickjacking.
    Your app url's host is invalid.
  2. Your partner account requires an emergency developer contact.
    The app is missing a developer emergency contact phone and email.
  3. App must verify the authenticity of the request from Shopify.
    Your app url's host is invalid.
  4. App must be served over HTTPS.
    Your app url's host is invalid.

Please help me out how to fix this ..

Shopify Partner
2 0 0

Hey @Sharan_oapps , Is you issue fixed, can you please let me know, I am facing same issue

Shopify Partner
2 0 0
let { hmac, host, shop, timestamp } = req.query;
const sign = (content, secret) => {
return crypto.createHmac("sha256", secret).update(content).digest("hex");


if (sign(`host=${host}&shop=${shop}&timestamp=${timestamp}`, config.shopifyPartner.secret) != hmac) {

Shopify Partner
6 0 0

Hi, if you're working in ruby on rails.

You can try including WebhookVerification module from shopify app gem by adding the following line to your webhooks controller:

include ShopifyApp::WebhookVerification

This module has a before action which verifies the requests against the hmac header and returns 401 unauthorized in case request wasn't sent from shopify.