Verification fails on webhooks .NET

3 0 0

I am internally developing a middleware for a company and, for that end, I have been given access to a sandbox environment store, so with that being said, I am not in the possession of my own shopify partner account.

Now, at the store admin panel (found at "{store-id}") I go to:
Settings > Notifications > Webhooks
Here I register my endpoint as the recipient of the webhooks. I also have a custom app installed with a bunch of related scopes. I've tried the following keys for the digest:

  • The API-key
  • The Secret API-key
  • The Admin-Access token
  • The sample string at the bottom of the notification-settings page.

But neither appear to be generating a signature that matches the header?

They all cause my controller to return 401.


Here's the code for my verification process, in case I did something wrong there.

private bool VerifyAuthenticity(string payloadAsJson, string hmacHeader, string shopId)
        string validationKey = $"{_redactedKey} ";

        byte[] keyAsBytes = Encoding.UTF8.GetBytes(validationKey);
        byte[] payloadAsBytes = Encoding.UTF8.GetBytes(payloadAsJson);

        using (HMACSHA256 hmac = new HMACSHA256(keyAsBytes))
            byte[] digest = hmac.ComputeHash(payloadAsBytes);
            string signature = Convert.ToBase64String(digest);

            return String.Equals(signature, hmacHeader, StringComparison.Ordinal);
        return false;

Although, I do believe I've analyzed the Python-script available at the documentation properly.

The webhooks are registered at the admin-panel and not subscribed to with an HttpRequest.

Replies 0 (0)