Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
I try to understand how webhook should be verified.
I have read "Step 5: Verify the webhook" in https://shopify.dev/docs/apps/webhooks/configuration/https. I work in a language that's not include in the example and I need more info on how the process is work in order to build it on my own.
Documentation say:
which is generated using the app's client secret along with the data sent in the request
What part of the request is used? Is it the header, body or both? Or have I understand it wrong?
Hi @Colaorom,
Thank you for reaching out to the Shopify community.
To verify the registered webhook, we kindly ask you to follow the outlined steps below:
Things to keep handy:
Store the request body of the payload in a variable.
Use base64 encoding to generate a keyed hash value using the HMAC method within the sha256 algorithm.
While generating the hash value for the request body, ensure to include the key SHOPIFY_SECRET.
Subsequently, compare the obtained hashed key with the header named X-Shopify-Hmac-SHA256 or HTTP_X_SHOPIFY_HMAC_SHA256. If there is a match, the webhook can be considered verified.
In the event that you encounter any difficulties comprehending these instructions, kindly respond with the programming language you are utilizing for handling the webhook. I will be pleased to further assess the matter and provide the necessary code snippet.
Thank you once again for your inquiry and cooperation.
Hello! Thanks for reply! I have tried but get a missmatch.
I use Claris FileMaker. This is the code:
Let (
[
Body = JSONGetElement ( $V ; "body" ;
Key = "" ;
] ;
Base64EncodeRFC ( 4648 ; CryptAuthCode ( Body ; "SHA256" ; Key ) )
)
hi @chetancrao SHOPIFY_SECRET use API secret key in App development > Order App > API key and secret key, right?
But when I compared rawBody (use Buffer covert body from json webhook) with X-Shopify-Hmac-SHA256, it really didn'n match
Hi Colaorom
Which language are you working in? Essentially the process of verifying a webhook from Shopify involves comparing the HMAC header sent in the request with an HMAC value that you compute yourself. The HMAC value is computed from the body of the request, not the headers or any other part of the request. The body should be used in its raw, unaltered form. The shared secret used as the key to compute the HMAC value is unique to your app and can be found in your Shopify Partner Dashboard.
Hope this helps!
Liam | Developer Advocate @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog
Hello Liam!
Im using Filemaker Claris as platform and language.
I have only developer app. I suppose that's the hidden key in the shops settings > apps > developer app > API tasks?
Hi @Liam SHOPIFY_SECRET use API secret key in App development > Order App > API key and secret key, right?
But when I compared rawBody (use Buffer covert body from json webhook) with X-Shopify-Hmac-SHA256, it really didn'n match