Webhook response doesn't contain X_SHOPIFY_HMAC_SHA256

Max34
Shopify Partner
15 0 2

I've been working on creating some webhooks for my dev-shop. Unfortunately none of the test notifications contain X_SHOPIFY_HMAC_SHA256 in the header.

I'm getting only HTTP_X_SHOPIFY_TOPIC and HTTP_X_SHOPIFY_SHOP_DOMAIN. Nothing in the headers (i'm dumping the $_SERVER array in php) looks like the SHA.

Is that because of the dev-shop? Will it change with the real shop? For me it looks quite strange if this is not available to test with the dev shop?

Hope that somebody have faced similar issue and knows the answer!

Replies 7 (7)

Chris_Saunders
Shopify Staff
591 0 53

HTTP_X_SHOPIFY_HMAC_SHA256 and HTTP_X_SHOPIFY_TOPiC is a goofy thing Rails/Rack does when pulling out HTTP headers.

Since you aren't using Rails the headers should be under "X-Shopify-Hmac-SHA256" and "X-Shopify-Topic" respectively. I think the docs cover this but if not I'll get that update appropriately.

Chris | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Max34
Shopify Partner
15 0 2

Hi Chris,

There is nothing like X-Shopify-Hmac-SHA256 in the header (taking into account all possible lower/higher case combinations).

Though I'm getting 'X-Shopify-Topic' and 'X-Shopify-Shop-Domain'.

Any idea why?

Chris_Saunders
Shopify Staff
591 0 53

Is it a custom webhook endpoint that you created in the admin?

Chris | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Max34
Shopify Partner
15 0 2

Yes,

All I'm doing in that php script is:

ob_start();
var_dump($_SERVER);
$output = ob_get_clean();
file_put_contents('output.txt', $output);

 

Jared_Evans
New Member
5 0 0

for god knows what reason, shopify have decided that webhooks created in the admin shouldn't be able to be validated.  If you want to use the X-Shopify-Hmac-SHA256 to validate your webhook, you need to create the webhook through the API.

Chris_Saunders
Shopify Staff
591 0 53

Webhooks created through the Admin don't have a key so they have no identifying information that can be used to generate the signature. That's why it's missing.

If you want you can use a private app and create webhooks that way. Also since they are scoped to the app they won't show up in the Admin and users won't be able to destroy them by mistake.

Chris | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Max34
Shopify Partner
15 0 2

Thank you Jared, Chris. That helps a lot!