Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Verify webhook

Verify webhook

Colaorom
Shopify Partner
3 0 0

I try to understand how webhook should be verified. 

I have read "Step 5: Verify the webhook" in https://shopify.dev/docs/apps/webhooks/configuration/https. I work in a language that's not include in the example and I need more info on how the process is work in order to build it on my own. 

 

Documentation say: 

which is generated using the app's client secret along with the data sent in the request

What part of the request is used? Is it the header, body or both? Or have I understand it wrong?

Replies 6 (6)

chetancrao
Shopify Partner
42 5 5

Hi @Colaorom,

 

Thank you for reaching out to the Shopify community.

 

To verify the registered webhook, we kindly ask you to follow the outlined steps below:

Things to keep handy:

  • Store the request body of the payload in a variable.

  • Use base64 encoding to generate a keyed hash value using the HMAC method within the sha256 algorithm.

  • While generating the hash value for the request body, ensure to include the key SHOPIFY_SECRET.

  • Subsequently, compare the obtained hashed key with the header named X-Shopify-Hmac-SHA256 or HTTP_X_SHOPIFY_HMAC_SHA256. If there is a match, the webhook can be considered verified.

In the event that you encounter any difficulties comprehending these instructions, kindly respond with the programming language you are utilizing for handling the webhook. I will be pleased to further assess the matter and provide the necessary code snippet.

 

Thank you once again for your inquiry and cooperation.

Cheetos || Recurpay Subscriptions

- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
Colaorom
Shopify Partner
3 0 0

Hello! Thanks for reply! I have tried but get a missmatch. 
I use Claris FileMaker. This is the code: 

 

Let ( 
  [
    Body = JSONGetElement ( $V ; "body" ; 
    Key = "" ;
  ] ;
  Base64EncodeRFC ( 4648 ; CryptAuthCode ( Body ; "SHA256" ; Key ) )
)

 

thaitv91
New Member
4 0 0

hi @chetancrao SHOPIFY_SECRET use API secret key in App development > Order App > API key and secret key, right?
But when I compared rawBody (use Buffer covert body from json webhook) with X-Shopify-Hmac-SHA256, it really didn'n match

Liam
Community Manager
3108 342 884

Hi Colaorom

 

Which language are you working in? Essentially the process of verifying a webhook from Shopify involves comparing the HMAC header sent in the request with an HMAC value that you compute yourself. The HMAC value is computed from the body of the request, not the headers or any other part of the request. The body should be used in its raw, unaltered form. The shared secret used as the key to compute the HMAC value is unique to your app and can be found in your Shopify Partner Dashboard. 

 

Hope this helps!

Liam | Developer Advocate @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

Colaorom
Shopify Partner
3 0 0

Hello Liam!

Im using Filemaker Claris as platform and language. 

I have only developer app. I suppose that's the hidden key in the shops settings > apps > developer app > API tasks?  

thaitv91
New Member
4 0 0

Hi @Liam  SHOPIFY_SECRET use API secret key in App development > Order App > API key and secret key, right?
But when I compared rawBody (use Buffer covert body from json webhook) with X-Shopify-Hmac-SHA256, it really didn'n match