Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
Hey,
So I've been trying to set up webhook authentication but I have been running into an issue that I suspect is due to formatting of the hmac digest.
The http header that I extract (from "X-Shopify-Hmac-SHA256") tends to look something like:
YXM730947gKEWm/26s9z/sCdKWNPTNN1qMRNFhdOBFQ=
(with an equals sign at the end, typically 44 characters long and alphanum+symbols).
The hexdigests that I generate in python using
hmac.new("secret here", data, sha256).hexdigest()
tend to be 64 characters long and consist only of numbers+[A-F].
Again, I don't think the issue is with the hmac that I'm generating since the overall format of the hmac provided in the headers by Shopify is different.
Does anybody have any insight as to what's going on or what I could do differently?
Hey George,
Have you had a look at our documentation/example ruby code for verifying webhooks? I think it would be worth taking a peek at in this case.
At a glance, it sounds like you're just missing the step where you base64 encode the signature - if you could test that out it should do the trick!
Josh | Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
Thanks Josh,
That did the trick, must have missed that part; the python library I was using didn't have an explicit base64 call so my fix ended up being to take the hex_string.decode("hex").encode("base64").replace('\n', '') and compare (for anybody else running into the same issue).
Is there any particular reason the authentication digest is hex while the webhook one is base64? Also, I was wondering if it possible to edit the documentation to make this difference more explicit to avoid this in the future. Maybe something like:
```
Each Webhook request includes a X-Shopify-Hmac-SHA256 header which is generated using the app's shared secret, along with the data sent in the request. Unlike the HMAC field used in granting permissions to the application which is encoded in hex, the Webhook HMAC is encoded in base64, as shown by the code snippets below.
```
Hey George,
I'll bring this up with the powers that be (our documentation team), I suppose that could be a bit more clear since you wouldn't know otherwise unless you read the code example. Thanks for bringing it to our attention!
Josh | Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog